Cyber Resilience

CVE-2025-1227

MediumPublic PoC

Published: 12 February 2025

Published
12 February 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1227 is a medium-severity Injection (CWE-74) vulnerability in R1Bbit Yimioa. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1227 is a SQL injection vulnerability affecting ywoa versions up to 2024.07.03. The issue resides in the selectList function within the file com/cloudweb/oa/mapper/xml/AddressDao.xml. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it corresponds to CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection). The vulnerability was published on 2025-02-12.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating input to the affected function, the attacker can inject malicious SQL payloads, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service within the scope of the low-privileged context.

Advisories recommend upgrading to ywoa version 2024.07.04, which addresses the issue. The exploit has been publicly disclosed and may be used, as noted in references including Gitee issues at https://gitee.com/r1bbit/yimioa/issues/IBI7XH and VulDB entries at https://vuldb.com/?ctiid.295217 and https://vuldb.com/?id.295217.

EU & UK References

Vulnerability details

A vulnerability was found in ywoa up to 2024.07.03. It has been rated as critical. This issue affects the function selectList of the file com/cloudweb/oa/mapper/xml/AddressDao.xml. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has…

more

been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web app enables initial access via public-facing application exploitation (T1190), server software component abuse (T1505 as noted in advisory), and data collection from databases (T1213.006).

CVEs Like This One

CVE-2025-1224Same product: R1Bbit Yimioa
CVE-2025-1216Same product: R1Bbit Yimioa
CVE-2025-1226Same product: R1Bbit Yimioa
CVE-2025-25585Same product: R1Bbit Yimioa
CVE-2025-0410Shared CWE-74, CWE-89
CVE-2025-2034Shared CWE-74, CWE-89
CVE-2025-0486Shared CWE-74, CWE-89
CVE-2025-1185Shared CWE-74, CWE-89
CVE-2025-2389Shared CWE-74, CWE-89
CVE-2025-0558Shared CWE-74, CWE-89

Affected Assets

r1bbit
yimioa
≤ 2024-07-04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation and neutralization of special elements in user inputs to the vulnerable selectList function.

prevent

Mandates timely remediation of the specific SQL injection flaw through patching to ywoa version 2024.07.04.

detectrespond

Facilitates identification of the SQL injection vulnerability via automated scanning and drives subsequent flaw remediation.

References