CVE-2025-0585

Critical

Published: 20 January 2025

Published

20 January 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The a+HRD from aEnrich Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Security Summary

CVE-2025-0585 is a SQL injection vulnerability (CWE-89) affecting the a+HRD software from aEnrich Technology. Published on 2025-01-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue enables unauthenticated remote attackers to inject arbitrary SQL commands into the application.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows attackers to read, modify, and delete database contents, resulting in high impacts to confidentiality, integrity, and availability.

Advisories from TWCERT/CC provide further details on the vulnerability, available at https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html and https://www.twcert.org.tw/tw/cp-132-8372-19721-1.html.

Details

CWE(s): CWE-89

Affected Products

aenrich

a\+hrd

≤ 7.5

References

https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8372-19721-1.html
Third Party Advisory · twcert@cert.org.tw