CVE-2025-25590 – This SQL injection vulnerability in yimioa allo... (How to Fix)

Q: What is the severity of CVE-2025-25590?

CVE-2025-25590 has a CVSS score of 6.1 (MEDIUM). This SQL injection vulnerability in yimioa allows attackers to execute arbitrary SQL commands through the AddressDao.xml component. It affects all yimioa installations before version 2024.07.04, potentially compromising database integrity and exposing sensitive information.

📋 TL;DR

This SQL injection vulnerability in yimioa allows attackers to execute arbitrary SQL commands through the AddressDao.xml component. It affects all yimioa installations before version 2024.07.04, potentially compromising database integrity and exposing sensitive information.

💻 Affected Systems

Products:

yimioa

Versions: All versions before 2024.07.04

Operating Systems: All platforms running yimioa

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration of affected versions.

📦 What is this software?

Yimioa by R1bbit

View all CVEs affecting Yimioa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, or deletion; potential privilege escalation to system-level access.

🟠

Likely Case

Unauthorized data access and extraction from the database, potentially exposing sensitive address information and user data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity when unauthenticated access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.07.04

Vendor Advisory: https://gitee.com/r1bbit/yimioa/issues/IBI7XH

Restart Required: Yes

Instructions:

1. Download yimioa version 2024.07.04 or later from official source. 2. Backup current installation and database. 3. Replace vulnerable files with patched version. 4. Restart the yimioa service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to sanitize user inputs before processing by the AddressDao.xml component

Implement parameterized queries in AddressDao.xml
Add input sanitization for all user-controlled parameters

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure WAF to block SQL injection patterns
Enable SQL injection detection rules

🧯 If You Can't Patch

Implement network segmentation to isolate yimioa from critical systems
Enable detailed logging and monitoring for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check yimioa version; if earlier than 2024.07.04, system is vulnerable

Check Version:

Check yimioa configuration files or admin interface for version information

Verify Fix Applied:

Verify yimioa version is 2024.07.04 or later and test AddressDao.xml functionality

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts
Suspicious patterns in web server logs

Network Indicators:

Unusual database connection patterns
SQL error messages in HTTP responses

SIEM Query:

source="web_logs" AND ("sql" OR "union" OR "select" OR "insert") AND dest_port=*

📊 Metadata

CVE ID: CVE-2025-25590

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

CWE: CWE-89

EPSS Score: 0.04% exploit probability (10.7th percentile)

Published: March 18, 2025

Last Updated: June 19, 2025

🔗 References

https://gitee.com/r1bbit/yimioa/issues/IBI7XH Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25590, you might also want to check these: