CVE-2025-0392
📋 TL;DR
This critical SQL injection vulnerability in Jeewms allows remote attackers to execute arbitrary SQL commands by manipulating the store_code parameter in the datagridGraph function. Organizations using Jeewms versions up to 20241229 are affected, potentially exposing database contents and system control. The vulnerability is remotely exploitable and public exploit code exists.
💻 Affected Systems
- Guangzhou Huayi Intelligent Technology Jeewms
📦 What is this software?
Jeewms by Huayi Tec
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Unauthorized database access allowing extraction of sensitive information, modification of data, and potential lateral movement within the network.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation preventing successful exploitation.
🎯 Exploit Status
Exploit code has been publicly disclosed on Gitee, making this easily exploitable by attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20250101
Vendor Advisory: https://gitee.com/erzhongxmu/JEEWMS/issues/IBFK93
Restart Required: Yes
Instructions:
1. Backup your current Jeewms installation and database. 2. Download version 20250101 from the official source. 3. Replace the existing installation with the patched version. 4. Restart the Jeewms application server. 5. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting the /graphReportController.do endpoint
Input Validation Filter
allAdd input validation for store_code parameter to reject suspicious characters
🧯 If You Can't Patch
- Implement network segmentation to isolate Jeewms from critical systems
- Deploy a web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Test the /graphReportController.do endpoint with SQL injection payloads in the store_code parameter and observe database errors or unexpected responses.Check Version:
Check the Jeewms version in the application interface or configuration files, typically in version.txt or application.propertiesVerify Fix Applied:
After upgrading to 20250101, test the same SQL injection payloads and verify they are properly sanitized or rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed login attempts following SQL errors
- Requests to /graphReportController.do with suspicious store_code parameters
Network Indicators:
- Unusual database connection patterns from the Jeewms server
- Large data transfers from the database server
SIEM Query:
source="jeewms_logs" AND (uri="/graphReportController.do" AND (param="store_code" AND value CONTAINS "' OR" OR value CONTAINS "--" OR value CONTAINS ";"))