Platform
php
Component
edirectory
Fixed in
1.0.1
CVE-2019-25675 describes multiple SQL injection vulnerabilities discovered in eDirectory. These vulnerabilities allow unauthenticated attackers to bypass administrator authentication and potentially disclose sensitive files on the server. The issue affects eDirectory versions 1.0.0 through 1.0. A fix is available, and users are strongly advised to upgrade to a patched version.
Successful exploitation of CVE-2019-25675 allows an attacker to bypass administrator authentication by injecting malicious SQL code into the login endpoint's key parameter. This can be achieved through a union-based SQL injection technique. Once authenticated as an administrator, the attacker can then leverage authenticated file disclosure vulnerabilities within the language_file.php file to read arbitrary PHP files from the server. This could lead to the exposure of sensitive configuration data, source code, or other critical information. The potential blast radius extends to any data accessible by the eDirectory application and the underlying server infrastructure.
CVE-2019-25675 was published on 2026-04-05. Public proof-of-concept exploits are likely available given the nature of SQL injection vulnerabilities. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the potential for data disclosure make it a high-priority target for attackers. This vulnerability shares similarities with other SQL injection vulnerabilities, where attackers leverage database queries to gain unauthorized access.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25675 is to upgrade to a patched version of eDirectory as soon as it becomes available. In the interim, implement strict input validation on all user-supplied data, particularly the 'key' parameter in the login endpoint. Deploy a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts. Regularly review and update firewall rules to address evolving attack patterns. Consider implementing stricter access controls and limiting file system permissions to minimize the impact of a potential breach.
Update to the latest available version of eDirectory, as the authentication bypass (SQL Injection) vulnerability affects all versions. Review and strengthen security measures, including validation and sanitization of user input in the login endpoint and file handling.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25675 is a SQL Injection vulnerability in eDirectory versions 1.0.0–1.0 that allows unauthenticated attackers to bypass authentication and disclose sensitive files.
If you are using eDirectory versions 1.0.0 through 1.0, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of eDirectory. Until then, implement input validation and WAF rules.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's ease of exploitation makes it a likely target for attackers.
Refer to the official eDirectory security advisories for the most up-to-date information and patching instructions. (Note: Specific advisory URL not provided in input.)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.