Login Sign Up

CVE-2025-63694

9.8 CRITICAL
SQL Injection

📋 TL;DR

DzzOffice v2.3.7 and earlier contains a SQL injection vulnerability in the explorer/groupmanage component that allows attackers to execute arbitrary SQL commands. This affects all organizations using vulnerable versions of DzzOffice, potentially exposing sensitive database information.

💻 Affected Systems

Products:
  • DzzOffice
Versions: v2.3.7 and earlier
Operating Systems: All platforms running DzzOffice
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the explorer/groupmanage component specifically. All installations with this component enabled are vulnerable.

📦 What is this software?

Dzzoffice by Dzzoffice

View all CVEs affecting Dzzoffice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data extraction including user credentials, sensitive documents, and configuration data.

🟢

If Mitigated

Limited information disclosure if proper input validation and WAF rules are in place.

🌐 Internet-Facing: HIGH - Web applications with SQL injection vulnerabilities are prime targets for automated attacks.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof-of-concept code is publicly available on GitHub. Exploitation requires some authentication but is technically simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or apply workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation and sanitization to the explorer/groupmanage endpoint

Modify affected PHP files to use prepared statements with parameterized queries

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Add SQL injection detection rules to your WAF configuration

🧯 If You Can't Patch

  • Restrict network access to DzzOffice instances using firewall rules
  • Implement strict authentication and authorization controls to limit who can access the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check DzzOffice version in admin panel or by examining source files. Version 2.3.7 or earlier indicates vulnerability.

Check Version:

Check the version.php file or admin dashboard for version information

Verify Fix Applied:

Test the explorer/groupmanage endpoint with SQL injection payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by SQL-like payloads in web logs

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, etc.) to explorer/groupmanage endpoint

SIEM Query:

source="web_logs" AND uri="/explorer/groupmanage" AND (query="SELECT" OR query="UNION" OR query="OR 1=1")

📊 Metadata

CVE ID: CVE-2025-63694
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
EPSS Score: 0.05% exploit probability (13.9th percentile)
Published: November 18, 2025
Last Updated: November 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63694, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)