Login Sign Up

CVE-2025-0407

6.3 MEDIUM
SQL Injection

📋 TL;DR

This is a critical SQL injection vulnerability in liujianview gymxmjpa 1.0 that allows remote attackers to execute arbitrary SQL commands via the hyname parameter in EquipmentDaoImpl. Any system running the vulnerable version is affected, and exploitation can lead to data theft, modification, or deletion.

💻 Affected Systems

Products:
  • liujianview gymxmjpa
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration and affects all deployments of version 1.0.

📦 What is this software?

Gymxmjpa by Liujianview

View all CVEs affecting Gymxmjpa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, deletion, or potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub issues, making this easily exploitable by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in EquipmentController.java to sanitize the hyname parameter input.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the hyname parameter to prevent SQL injection.

Web Application Firewall

all

Deploy a WAF with SQL injection protection rules to filter malicious requests.

🧯 If You Can't Patch

  • Implement network segmentation to isolate the vulnerable system from critical assets.
  • Deploy database monitoring and alerting for unusual SQL query patterns.

🔍 How to Verify

Check if Vulnerable:

Check if running gymxmjpa version 1.0 and review EquipmentController.java for SQL injection vulnerabilities in hyname parameter handling.

Check Version:

Check application version in pom.xml or application configuration files.

Verify Fix Applied:

Test the hyname parameter with SQL injection payloads to ensure they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts or parameter manipulation attempts

Network Indicators:

  • HTTP requests with SQL injection patterns in hyname parameter
  • Unusual database query patterns from application server

SIEM Query:

source="application.log" AND ("SQL syntax" OR "hyname" AND ("' OR" OR "--" OR ";"))

📊 Metadata

CVE ID: CVE-2025-0407
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.1% exploit probability (26.8th percentile)
Published: January 13, 2025
Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0407, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)