CVE-2025-5433
📋 TL;DR
This CVE describes a critical SQL injection vulnerability in Feng Office 3.5.1.5 that allows remote attackers to execute arbitrary SQL commands via the tz_offset parameter. The vulnerability affects all systems running the vulnerable version of Feng Office, potentially compromising database integrity and confidentiality. Attackers can exploit this without authentication to steal, modify, or delete sensitive data.
💻 Affected Systems
- Feng Office
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.
Likely Case
Unauthorized data access, privilege escalation, or data manipulation affecting business operations.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage scope.
🎯 Exploit Status
Exploit code publicly available; remote exploitation possible without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None
Restart Required: No
Instructions:
No official patch available; vendor unresponsive. Consider upgrading to latest version or applying workarounds.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to reject malicious tz_offset values
Modify /index.php to sanitize tz_offset parameter before SQL query
WAF Rule
allBlock requests with SQL injection patterns in tz_offset parameter
Add WAF rule: Detect and block SQLi patterns in query strings
🧯 If You Can't Patch
- Restrict network access to Feng Office instance using firewall rules
- Implement database user with minimal permissions (read-only if possible)
🔍 How to Verify
Check if Vulnerable:
Check Feng Office version in admin panel or via file inspectionCheck Version:
Check Feng Office version in admin interface or config filesVerify Fix Applied:
Test tz_offset parameter with SQL injection payloads; successful exploitation indicates vulnerability📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to /index.php?c=account&a=set_timezone with unusual tz_offset values
Network Indicators:
- HTTP requests containing SQL keywords in tz_offset parameter
SIEM Query:
source="web_logs" AND uri="/index.php" AND query_string="*tz_offset=*" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*INSERT*")