CVE-2025-1464
Published: 19 February 2025
Description
A vulnerability, which was classified as critical, has been found in Baiyi Cloud Asset Management System up to 20250204. This issue affects some unknown processing of the file /wuser/admin.house.collect.php. The manipulation of the argument project_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1464 is a critical SQL injection vulnerability in the Baiyi Cloud Asset Management System versions up to 20250204. The flaw resides in the processing of the /wuser/admin.house.collect.php file, where the project_id argument is vulnerable to manipulation, allowing injection of malicious SQL code. It has been assigned CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. By sending a crafted request manipulating the project_id parameter, an attacker can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories from VulDB and a GitHub issue detail the vulnerability, including a publicly disclosed exploit. No patches or vendor responses are available, as the vendor was contacted early but did not reply.
The exploit has been made public and may be actively used, increasing the risk for exposed instances of the affected software.
Details
- CWE(s)