CVE-2025-61194 – CVE-2025-61194 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-61194?

CVE-2025-61194 has a CVSS score of 6.5 (MEDIUM). CVE-2025-61194 is a SQL injection vulnerability in daicuocms V1.3.13 that allows attackers to execute arbitrary SQL commands through the Builder.php component. This affects all systems running the vulnerable version of daicuocms, potentially compromising database integrity and confidentiality.

📋 TL;DR

CVE-2025-61194 is a SQL injection vulnerability in daicuocms V1.3.13 that allows attackers to execute arbitrary SQL commands through the Builder.php component. This affects all systems running the vulnerable version of daicuocms, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:

daicuocms

Versions: V1.3.13

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the ThinkPHP framework's database builder component in daicuocms.

📦 What is this software?

Daicuo by Daicuo

View all CVEs affecting Daicuo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data theft, modification, deletion, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, privilege escalation, and data manipulation through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - Web applications are directly exposed to internet-based attacks.

🏢 Internal Only: MEDIUM - Internal systems still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires understanding of SQL injection techniques and application structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.3.14 or later

Vendor Advisory: https://github.com/wzy-most/zeyu-Wang/blob/main/sql/readme.md

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update daicuocms to version V1.3.14 or later. 3. Verify the update by checking the version number.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation and parameterized queries in the affected Builder.php file.

Modify library\think\db\Builder.php to use prepared statements

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check if daicuocms version is V1.3.13 by examining version files or admin panel.

Check Version:

Check daicuocms configuration files or admin interface for version information.

Verify Fix Applied:

Confirm version is V1.3.14 or later and test SQL injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in application logs
Multiple failed login attempts with SQL syntax

Network Indicators:

HTTP requests containing SQL keywords to vulnerable endpoints

SIEM Query:

source="web_logs" AND (url="*Builder.php*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2025-61194

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: October 21, 2025

Last Updated: October 23, 2025

🔗 References

https://github.com/wzy-most/zeyu-Wang/blob/main/sql/readme.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61194, you might also want to check these: