CVE-2025-10399
📋 TL;DR
This SQL injection vulnerability in Korzh EasyQuery allows attackers to execute arbitrary SQL commands through the Query Builder UI component. It affects all systems running EasyQuery up to version 7.4.0 with the vulnerable endpoint exposed. Remote attackers can potentially access, modify, or delete database content.
💻 Affected Systems
- Korzh EasyQuery
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, or database server takeover leading to lateral movement within the network.
Likely Case
Unauthorized data access and extraction from the database, potentially exposing sensitive information stored in the application.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful exploitation.
🎯 Exploit Status
Exploit details are publicly available according to references; exploitation requires understanding of SQL injection techniques and the specific endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1 or later
Vendor Advisory: https://vuldb.com/?ctiid.323834
Restart Required: No
Instructions:
1. Check current EasyQuery version. 2. Download and install version 7.4.1 or later from Korzh. 3. Verify the patch is applied by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Endpoint Restriction
allBlock access to the vulnerable /api/easyquery/models/nwind/fetch endpoint using web server or firewall rules.
# Example for Apache: RewriteRule ^/api/easyquery/models/nwind/fetch - [F]
# Example for Nginx: location ~ ^/api/easyquery/models/nwind/fetch { deny all; }
Input Validation
allImplement strict input validation and sanitization for all parameters passed to the Query Builder UI.
# Application-level validation required; no single command
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with SQL injection protection rules enabled.
- Isolate the EasyQuery application in a segmented network zone with restricted database access.
🔍 How to Verify
Check if Vulnerable:
Check if the endpoint /api/easyquery/models/nwind/fetch exists and accepts SQL injection payloads; test with controlled payloads like ' OR '1'='1.Check Version:
Check application configuration or admin panel for EasyQuery version; typically found in web.config or application settings.Verify Fix Applied:
After patching, attempt SQL injection against the endpoint; successful requests should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed requests to /api/easyquery/models/nwind/fetch
- SQL syntax errors in application logs
Network Indicators:
- Unusual traffic patterns to the vulnerable endpoint
- SQL keywords in HTTP POST parameters
SIEM Query:
source="web_server" AND uri="/api/easyquery/models/nwind/fetch" AND (param="*sql*" OR param="*union*" OR param="*select*" OR param="*insert*")