CVE-2025-1832
Published: 02 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1832 is a SQL injection vulnerability affecting the zj1983 zz application up to version 2024-8. The issue resides in the getUserList function within the file src/main/java/com/futvan/z/system/zrole/ZroleAction.java, where manipulation of the roleid argument enables injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-02.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L). By crafting malicious input for the roleid parameter, the attacker can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service within the application's database.
Advisories from VulDB and GitHub repositories detail the vulnerability but report no vendor response or patches, as the developer was contacted early without reply. The exploit has been publicly disclosed, including proof-of-concept details in Chinese-language Markdown files targeting the zz 2024-8-4 backend.
In notable context, no evidence of active real-world exploitation is mentioned, and the issue has no apparent relevance to AI/ML components.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (ZroleAction.java getUserList via roleid) enables initial access via exploitation of public-facing application (T1190), collection from databases (T1213.006), and server software component abuse (T1505 as noted in advisory).