CVE-2025-60266 – This SQL injection vulnerability in xckk v9.6 a... (How to Fix)

Q: What is the severity of CVE-2025-60266?

CVE-2025-60266 has a CVSS score of 6.5 (MEDIUM). This SQL injection vulnerability in xckk v9.6 allows attackers to manipulate database queries through the orderBy parameter in the address/list endpoint. Attackers could potentially read, modify, or delete database contents. Anyone running xckk v9.6 with the vulnerable endpoint exposed is affected.

📋 TL;DR

This SQL injection vulnerability in xckk v9.6 allows attackers to manipulate database queries through the orderBy parameter in the address/list endpoint. Attackers could potentially read, modify, or delete database contents. Anyone running xckk v9.6 with the vulnerable endpoint exposed is affected.

💻 Affected Systems

Products:

xckk

Versions: v9.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the address/list endpoint accessible and orderBy parameter exposed.

📦 What is this software?

Xckk by Bestfeng

View all CVEs affecting Xckk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, or potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and potential data leakage from the database tables accessible to the application.

🟢

If Mitigated

Attack attempts are logged and blocked by input validation or WAF rules, with minimal impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires understanding of SQL injection techniques and application structure. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Gitee repository for updates

Vendor Advisory: https://gitee.com/bestfeng/xckk

Restart Required: No

Instructions:

1. Check the Gitee repository for security updates. 2. Apply the patch that properly sanitizes the orderBy parameter. 3. Test the address/list endpoint functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to restrict orderBy parameter to safe values

Implement validation: allow only alphanumeric characters and underscores in orderBy parameter

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on orderBy parameter

🧯 If You Can't Patch

Disable or restrict access to the address/list endpoint
Implement parameterized queries or prepared statements for all database operations

🔍 How to Verify

Check if Vulnerable:

Test the address/list endpoint with SQL injection payloads in the orderBy parameter and observe database errors or unexpected behavior.

Check Version:

Check application version in configuration files or about page

Verify Fix Applied:

Test with SQL injection payloads after patching; should return proper error messages or reject malicious input without database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in orderBy parameter logs
Database error messages containing SQL fragments
Multiple failed parameter validation attempts

Network Indicators:

HTTP requests with SQL keywords in orderBy parameter
Unusual database query patterns from application server

SIEM Query:

search 'orderBy' AND ('UNION' OR 'SELECT' OR 'INSERT' OR 'DELETE' OR 'UPDATE' OR '--' OR ';' OR '/*')

📊 Metadata

CVE ID: CVE-2025-60266

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (12.7th percentile)

Published: October 9, 2025

Last Updated: October 16, 2025

🔗 References

https://gitee.com/bestfeng/xckk Product
https://github.com/int-ux/report/issues/2 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60266, you might also want to check these: