CVE-2025-1831

CVE-2025-1831 is a SQL injection vulnerability classified as critical in the zj1983 zz software up to version 2024-8. The issue resides in the GetDBUser function within the file src/main/java/com/futvan/z/system/zorg/ZorgAction.java, where manipulation of the user_id argument enables the injection. Recent input validation failures allow attackers to craft malicious payloads, as mapped to CWE-74 and CWE-89. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-02.

Exploitation requires low privileges (PR:L) and can be performed remotely over the network with low complexity and no user interaction. An attacker with authenticated access at a low level could manipulate the user_id parameter to execute arbitrary SQL queries, potentially leading to limited confidentiality, integrity, and availability impacts, such as unauthorized data access, modification, or denial of service on the database.

Advisories from VulDB and related GitHub repositories, including proof-of-concept details in ZZ_2024_8前台SQL注入2.md, confirm the exploit has been publicly disclosed and is available for use. The vendor was notified early but provided no response or patch, leaving affected systems without official mitigation. Security practitioners should isolate instances, apply network controls, and monitor for anomalous database activity until updates emerge.

The public disclosure of the exploit increases the risk of active targeting, particularly for exposed deployments of this lesser-known Java-based application. No evidence of widespread real-world exploitation is noted in available sources.