CVE-2025-12864
Published: 10 November 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-12864 is a SQL injection vulnerability (CWE-89) in U-Office Force, a software product developed by e-Excellence. Published on 2025-11-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw enables an authenticated remote attacker to inject arbitrary SQL commands, potentially allowing them to read, modify, or delete database contents.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability of the underlying database, enabling data exfiltration, alteration, or destruction depending on the attacker's objectives and database permissions.
Mitigation guidance is provided in advisories from TWCERT, accessible at https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html and https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html. Security practitioners should consult these for specific patching instructions or workarounds applicable to U-Office Force deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection enables arbitrary SQL commands for reading data from databases (T1213.006), modifying stored data (T1492), and destroying data via deletion (T1485).