CVE-2025-6267 – This critical SQL injection vulnerability in zh... (How to Fix)

Q: What is the severity of CVE-2025-6267?

CVE-2025-6267 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in zhilink ADP Application Developer Platform 1.0.0 allows remote attackers to execute arbitrary SQL commands via the barcodeNo, barcode, or itemNo parameters in the /adpweb/a/base/barcodeDetail/ endpoint. Organizations using this specific version of the ADP platform are affected, potentially exposing sensitive database information.

📋 TL;DR

This critical SQL injection vulnerability in zhilink ADP Application Developer Platform 1.0.0 allows remote attackers to execute arbitrary SQL commands via the barcodeNo, barcode, or itemNo parameters in the /adpweb/a/base/barcodeDetail/ endpoint. Organizations using this specific version of the ADP platform are affected, potentially exposing sensitive database information.

💻 Affected Systems

Products:

zhilink ADP Application Developer Platform

Versions: 1.0.0

Operating Systems: Unknown - likely cross-platform as it's a web application

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version 1.0.0; other versions may or may not be vulnerable. The vulnerability exists in the barcodeDetail functionality.

📦 What is this software?

Adp Application Developer Platform by Zhilink

View all CVEs affecting Adp Application Developer Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized access to sensitive application data, extraction of user credentials, and potential lateral movement within the database.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and input validation is implemented.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with standard tools like sqlmap. The vendor has not responded to disclosure attempts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Contact zhilink directly for updates. Consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the /adpweb/a/base/barcodeDetail/ endpoint

Input Validation Filter

all

Add input validation middleware to sanitize barcodeNo, barcode, and itemNo parameters

🧯 If You Can't Patch

Block external access to the vulnerable endpoint using network ACLs or firewall rules
Implement database-level protections: restrict application database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Test the /adpweb/a/base/barcodeDetail/ endpoint with SQL injection payloads in barcodeNo, barcode, or itemNo parameters

Check Version:

Check application version in admin interface or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple rapid requests to /adpweb/a/base/barcodeDetail/ with SQL-like patterns
Database query errors containing user-supplied input

Network Indicators:

HTTP requests to vulnerable endpoint with SQL keywords (UNION, SELECT, etc.) in parameters
Unusual database connection patterns from application server

SIEM Query:

source="web_logs" AND uri="/adpweb/a/base/barcodeDetail/" AND (param="barcodeNo" OR param="barcode" OR param="itemNo") AND (value="*SELECT*" OR value="*UNION*" OR value="*OR*" OR value="*--*")

📊 Metadata

CVE ID: CVE-2025-6267

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: June 19, 2025

Last Updated: October 9, 2025

🔗 References

https://vuldb.com/?ctiid.313271 Permissions Required,VDB Entry
https://vuldb.com/?id.313271 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.586697 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6267, you might also want to check these: