CVE Alert: CVE-2025-9593 - itsourcecode - Apartment Management System

CVE-2025-9593

HIGHNo exploitation known

A flaw has been found in itsourcecode Apartment Management System 1.0. Impacted is an unknown function of the file /report/unit_status_info.php. Executing manipulation of the argument usid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

CVSS v3.1 (7.3)

Vendor

itsourcecode

Product

Apartment Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-08-28T22:32:07.066Z

Updated

2025-08-28T22:32:07.066Z

References

https://vuldb.com/?id.321767
https://vuldb.com/?ctiid.321767
https://vuldb.com/?submit.636186
https://github.com/pjy2004/cve/issues/2
https://itsourcecode.com/

AI Summary Analysis

Risk verdict: High risk due to remote SQL injection with a publicly disclosed exploit, enabling unauthenticated access over the network.

Why this matters: The flaw can expose or modify tenant data and related records, with potential exfiltration or impersonation risks. Given no user interaction is required and the endpoint is web-facing, an attacker could harvest sensitive information or disrupt operations quickly if the database is reachable from the app server.

Most likely attack path: An attacker sends crafted requests to the vulnerable endpoint (/report/unit_status_info.php) using the usid parameter over the internet, exploiting the SQL injection directly without credentials. The CVSS profile shows network access and no authentication required, so the attacker could read/alter data and potentially pivot within the environment if subsequent access exists.

Who is most exposed: Deployments of itsourcecode Apartment Management System that are internet-facing (common on SMB hosting stacks) and not patched promptly. Organisations hosting this product should assume external scanning and opportunistic exploitation.

Detection ideas:

Alerts for unusual HTTP requests to unit_status_info.php with atypical or large usid values.
SQL error or unusual query patterns appearing in application or DB logs.
WAF signatures or IPS logs showing SQLi patterns in GET/POST data.
Anomalous data retrieval or modifications from the app that align with a single vulnerable endpoint.
IOCs or indicators from public exploit reports (IOA).

Mitigation and prioritisation:

Patch upgrade to fixed version or apply vendor-recommended remediations; switch to parameterised queries and prepared statements.
Enforce least-privilege DB accounts; disable dynamic SQL and reduce DB surface area.
Implement input validation and escaping; harden server-side code around usid usage.
Deploy or tune WAF/IPS rules to block SQLi patterns; enable focused logging and alerting.
Change-management: test in staging, then patch during a defined window; rotate credentials post-deployment.
Note: If KEV true or EPSS ≥ 0.5, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: apartment-management-system, CVE, cve-2025-9593, itsourcecode, OSINT, threatintel