CVE-2025-0344
Published: 09 January 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-0344 is a SQL injection vulnerability affecting leiyuxi cy-fast version 1.0. The issue resides in the listData function within the /commpara/listData file, where manipulation of the 'order' argument enables injection. Classified as critical, it corresponds to CWE-74 and CWE-89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through injected SQL payloads.
Advisories from VulDB (ctiid.290857, id.290857, submit.475747) document the issue, while a GitHub repository (d3do-23/cvelist/blob/main/cy-fast/sqli3.md) publicly discloses a proof-of-concept exploit. No specific patches or vendor mitigations are detailed in available references.
The exploit has been publicly disclosed and may be actively used, increasing the risk for deployments of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app /commpara/listData enables initial access via exploitation of public-facing application (T1190), abuse of server software component for SQL execution (T1505), and data collection from databases (T1213.006).