CVE-2025-51683

Published Dec 1, 2025

Last updated 3 months ago

CVSS critical 9.8
mJobtime

Overview

Description
A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint .
Source
cve@mitre.org
NVD status
Analyzed
Products
mjobtime

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-89

Social media

Hype score
Not currently trending

  1. 🚨 Construction Firms Targeted via mJobTime Blind SQLi to Trigger MSSQL xp_cmdshell RCE Attackers are exploiting a blind SQL injection in **mJobTime v15.7.2** (CVE-2025-51683) by sending crafted IIS **POST** requests to `/Default.aspx/update_profile_Server`, enabling

    @ThreatSynop

    30 Jan 2026

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-51683 : CRITICAL SQLi ALERT 🚨 @mJobtime A critical unauthenticated blind SQL injection vulnerability has been disclosed in mJobtime, a workforce management and time-tracking platform widely used in construction and field service industries. Risk Severity: Criti

    @OstorlabSec

    27 Jan 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Legit construction software quietly exposed backend MSSQL. Attackers took advantage via blind SQL injection (CVE-2025-51683). No malware required. Just xp_cmdshell and permissions doing their job. Inventory your dependencies, not just your apps.  https://t.co/aLrIBBzYsH

    @HuntressLabs

    24 Jan 2026

    7990 Impressions

    9 Retweets

    53 Likes

    11 Bookmarks

    0 Replies

    1 Quote

  4. CVE-2025-51683 A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the … https://t.co/qvGyUKz62w

    @CVEnew

    1 Dec 2025

    149 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. We've published technical details for CVE-2025-51682 and CVE-2025-51683 – two vulnerabilities in the time management software mJobTime that lead to unauthenticated RCE via SQLi by @dario_weiss: https://t.co/CP9sNeRdQH

    @InfoGuard_Labs

    25 Nov 2025

    190 Impressions

    2 Retweets

    5 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly.CVE-2025-51682

References

Sources include official advisories and independent security research.