CVE-2025-2217
Published: 12 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2217 is a SQL injection vulnerability classified as critical in the zzskzy Warehouse Refinement Management System version 1.3. The issue resides in the ProcessRequest function of the file /getAdyData.ashx, where manipulation of the showid argument enables SQL injection. It is remotely exploitable and associated with CWE-74 and CWE-89.
An attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation yields limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Advisories from VulDB (https://vuldb.com/?ctiid.299289, https://vuldb.com/?id.299289, https://vuldb.com/?submit.512333) and a GitHub report (https://github.com/Rain1er/report/blob/main/skWMX/5.md) detail the vulnerability, noting that the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding disclosure but provided no response, and no patches or specific mitigations are referenced.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/getAdyData.ashx) enables exploitation of public-facing applications (T1190). Advisory explicitly maps to server software component abuse (T1505), with potential for RCE.