CVE-2025-1821
Published: 02 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1821 is a critical SQL injection vulnerability in zj1983 zz versions up to 2024-8. The flaw affects the getUserOrgForUserId function in the file src/main/java/com/futvan/z/system/zorg/ZorgAction.java, where manipulation of the userID argument triggers the injection.
Attackers can exploit this remotely over the network with low attack complexity, requiring low privileges but no user interaction. Per the CVSS 3.1 score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), successful exploitation enables limited impacts on confidentiality, integrity, and availability. The issue maps to CWEs-74 and CWE-89.
VulDB advisories and a GitHub disclosure detail the exploit, which has been made public and may be used. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are referenced.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in front-end web endpoint (/getUserOrgForUserId) enables exploitation of public-facing application (T1190), abuse of server software component (T1505), and collection from databases (T1213.006).