CVE-2025-2030
Published: 06 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2030 is a SQL injection vulnerability (CWE-74, CWE-89) in the Seeyon Zhiyuan Interconnect FE Collaborative Office Platform up to version 20250224. The issue affects unknown functionality in the /security/addUser.jsp file, where manipulation of the groupId argument triggers the injection. Published on 2025-03-06, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and has been described as critical.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability with low attack complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability through SQL injection, potentially allowing unauthorized data access, modification, or disruption.
Advisories from sources like VulDB and a GitHub repository detail the public disclosure of an exploit, which may be actively used by attackers. The vendor was notified early but provided no response, and no patches or official mitigations are referenced.
The exploit code has been made publicly available, increasing the risk of widespread exploitation in unpatched environments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a public-facing web application (/security/addUser.jsp) with no authentication required directly enables remote exploitation of the server, mapping to T1190: Exploit Public-Facing Application.