CVE-2025-29529 PoC — ITC Systems Multiplan/Matrix OneCard platform 安全漏洞

Source

https://github.com/Yoshik0xF6/CVE-2025-29529

Associated Vulnerability

Title:ITC Systems Multiplan/Matrix OneCard platform 安全漏洞 (CVE-2025-29529)
Description:ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx.

Description

SQLi ITC Multiplan v3.7.4.1002 (CVE-2025-29529)

Readme

# SQLi ITC Multiplan (CVE-2025-29529)
## Discovery
On February 21, 2025, an SQL injection vulnerability was identified in the “Multiplan” platform developed by ITC Systems during a client engagement.

## Affected Versions 
This vulnerability has been only been tested on v3.7.4.1002
![screenshot](/version.png)

## Attack Vector
The "ctl00%24cpLogin%24ctlForgotPassword%24txtEmail" POST parameter used by the "ForgotPassword.aspx" endpoint was found to be not sanitized. An unauthenticated threat actor may 
leverage this vulnerability to read the applications backend database. 
![screenshot](/Attack_Vector.png)
## POC
As a Proof-of-Concept (PoC), database information such as tables and columns were collected. 
![screenshot](/POC.png)
![screenshot](/POC2.png)
## Vulnerability Check
Copy and paste a BurpSuite POST request from the /ForgotPassword.aspx endpoint to a text file. 
* Leverage sqlmap (sqlmap -r burprequest.txt -p ctl00%24cpLogin%24ctlForgotPassword%24txtEmail)
## Remediation
Update platform to ITC's current offering by contacting ITC Sales to discuss upgrade path to netZcore on-premise or netZcore Avro, ITC's advanced OneCard Cloud service.
## References
https://itcsystems.com/end-of-service-life-eosl-notice-multiplan-matrix-onecard-platform/

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!