CVE-2025-15420
📋 TL;DR
This CVE describes a SQL injection vulnerability in Yonyou KSOA 9.0's /worksheet/agent_work_report.jsp endpoint via the ID parameter. Attackers can remotely execute arbitrary SQL commands to potentially access, modify, or delete database content. Organizations using Yonyou KSOA 9.0 with the vulnerable component exposed are affected.
💻 Affected Systems
- Yonyou KSOA
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to remote code execution.
Likely Case
Unauthorized database access allowing extraction of sensitive business data, user credentials, or configuration information.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation preventing exploitation.
🎯 Exploit Status
Public exploit code available on GitHub; remote exploitation requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor was contacted but did not respond. Consider workarounds or alternative solutions.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting /worksheet/agent_work_report.jsp with ID parameter.
# Example ModSecurity rule: SecRule REQUEST_URI "@rx /worksheet/agent_work_report\.jsp" "id:1001,phase:2,deny,msg:'SQLi attempt on KSOA'"
# Add SQL injection detection patterns for ID parameter
Input Validation Filter
allAdd server-side input validation to sanitize ID parameter values before processing.
# Example in application code: validate ID is numeric only
if (!id.matches("^\\d+$")) { throw new IllegalArgumentException("Invalid ID"); }
🧯 If You Can't Patch
- Implement network segmentation to restrict access to KSOA systems only to authorized users.
- Deploy database monitoring to detect unusual SQL queries from the KSOA application.
🔍 How to Verify
Check if Vulnerable:
Test the /worksheet/agent_work_report.jsp endpoint with SQL injection payloads in the ID parameter (e.g., ID=1' OR '1'='1). Monitor for database errors or unexpected responses.Check Version:
Check KSOA version through application interface or configuration files. Command varies by deployment.Verify Fix Applied:
After applying workarounds, retest with SQL injection payloads to confirm they are blocked or sanitized. Verify WAF logs show blocked attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns in application logs
- Error messages containing SQL syntax in web server logs
- Multiple failed login attempts or parameter manipulation
Network Indicators:
- HTTP requests to /worksheet/agent_work_report.jsp with SQL injection patterns in parameters
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND uri="/worksheet/agent_work_report.jsp" AND (param="ID" AND value MATCHES "[';]|OR|UNION|SELECT")🔗 References
- https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_work_report.jsp%20SQL%20injection.md
- https://vuldb.com/?ctiid.339342
- https://vuldb.com/?id.339342
- https://vuldb.com/?submit.721099
- https://vuldb.com/?submit.721531
- https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_work_report.jsp%20SQL%20injection.md
