CVE-2025-6009 is a SQL Injection vulnerability identified in version 5.2.0 of the kiCode111 like-girl product. The vulnerability resides in the /admin/ipAddPost.php file, specifically in the handling of the bz/ipdz argument. An attacker can manipulate this input parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability is remotely exploitable without requiring user interaction or authentication, which increases its risk profile. Despite the vendor being contacted early about the issue, no response or patch has been provided, and the exploit details have been publicly disclosed. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H) but the vector states PR:H which means high privileges are required, no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The overall CVSS score is 5.1, categorized as medium severity. However, the presence of a publicly known exploit and lack of vendor response elevate the risk for affected systems. The vulnerability allows attackers to perform unauthorized SQL commands, which could lead to data leakage, data corruption, or unauthorized administrative actions depending on the database and application context. The lack of a patch and public exploit availability make timely mitigation critical to prevent exploitation.

For European organizations using kiCode111 like-girl 5.2.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their data. SQL Injection can allow attackers to extract sensitive information such as user credentials, personal data, or business-critical information, violating data protection regulations like GDPR. Integrity could be compromised by unauthorized modification or deletion of data, potentially disrupting business operations or causing reputational damage. Availability impact is rated low but could escalate if attackers leverage the vulnerability to corrupt databases or disrupt services. The fact that exploitation does not require user interaction or authentication means that exposed administrative endpoints are at immediate risk. European organizations in sectors with high data sensitivity, such as finance, healthcare, and government, could face severe compliance and operational consequences if exploited. The vendor’s lack of response and absence of patches increase exposure time, making proactive defense essential.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, restrict access to the /admin/ipAddPost.php endpoint by IP whitelisting or VPN-only access to limit exposure to trusted users. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the bz/ipdz parameter. Conduct thorough input validation and sanitization on the server side if possible, or deploy runtime application self-protection (RASP) solutions to monitor and block injection attempts. Regularly audit logs for suspicious activity related to this endpoint. Organizations should also consider isolating the affected application from critical databases or sensitive data stores until a patch is available. Engage in active threat hunting for signs of exploitation. Finally, maintain communication with the vendor and monitor security advisories for updates or patches. If feasible, plan for an upgrade or migration away from the vulnerable version or product.