CVE-2025-12864

High

Published: 10 November 2025

Published

10 November 2025

Modified

18 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12864 is a high-severity SQL Injection (CWE-89) vulnerability in Edetw U-Office Force. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Databases (T1213.006) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SQL injection by validating and sanitizing all user inputs before they are used in database queries.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching and remediation of the specific SQL injection flaw in U-Office Force as advised in vendor guidance.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Identifies SQL injection vulnerabilities like CVE-2025-12864 through regular vulnerability scanning and monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

SQL injection enables arbitrary SQL commands for reading data from databases (T1213.006), modifying stored data (T1492), and destroying data via deletion (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents.

Deeper analysisAI

CVE-2025-12864 is a SQL injection vulnerability (CWE-89) in U-Office Force, a software product developed by e-Excellence. Published on 2025-11-10, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw enables an authenticated remote attacker to inject arbitrary SQL commands, potentially allowing them to read, modify, or delete database contents.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability of the underlying database, enabling data exfiltration, alteration, or destruction depending on the attacker's objectives and database permissions.

Mitigation guidance is provided in advisories from TWCERT, accessible at https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html and https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html. Security practitioners should consult these for specific patching instructions or workarounds applicable to U-Office Force deployments.