Cyber Posture

CVE-2025-22957

CriticalPublic PoC

Published: 31 January 2025

Published
31 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-22957 is a SQL injection vulnerability (CWE-89) present in the front-end of websites built with ZZCMS versions <= 2023. Published on 2025-01-31, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated remote attackers via the website's front-end without requiring privileges or user interaction. Exploitation involves injecting malicious SQL payloads, potentially enabling unauthorized database access and extraction of sensitive information.

Mitigation guidance and additional details are available in advisories referenced at the vendor site http://www.zzcms.net/ and the vulnerability report https://github.com/youyouiooi/vulnerability-reports/blob/main/CVE-2025-22957/REANDE.md.

Details

CWE(s)
CWE-89

Affected Products

zzcms
zzcms
≤ 2023

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

The unauthenticated SQL injection vulnerability in the public-facing ZZCMS web application enables exploitation of a public-facing application (T1190) and unauthorized access to extract data from databases (T1213.006).

References