Cyber Resilience

CVE-2025-15492

MediumPublic PoC

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15492 is a medium-severity Injection (CWE-74) vulnerability in Docsys Project Docsys. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-15492 is a SQL injection vulnerability affecting RainyGao DocSys versions up to 2.02.36. The issue resides in an unknown function within the file src/com/DocSystem/mapping/GroupMemberMapper.xml, where manipulation of the searchWord argument enables injection. This flaw, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L), requiring no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via crafted SQL payloads in the searchWord parameter.

Advisories from VulDB (ctiid.340270, id.340270) and a public GitHub repository detail the vulnerability analysis, reproduction steps, and proof-of-concept exploit. No patches or vendor responses are available, as the developer was contacted early but did not reply.

The exploit is public and may be actively used, increasing risks for exposed DocSys instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely.…

more

The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in a web application (DocSys) enables exploitation of public-facing apps per T1190; limited DB manipulation impacts do not map to other techniques like command execution or credential dumping.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15494Same product: Docsys Project Docsys
CVE-2025-15493Same product: Docsys Project Docsys
CVE-2025-11630Same product: Docsys Project Docsys
CVE-2025-11631Same product: Docsys Project Docsys
CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89
CVE-2026-9447Shared CWE-74, CWE-89
CVE-2026-6153Shared CWE-74, CWE-89

Affected Assets

docsys project
docsys
≤ 2.02.36

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input such as the searchWord parameter before it reaches the SQL statement in GroupMemberMapper.xml.

prevent

Restricts the privileges of authenticated users so that a successful searchWord injection yields only limited C/I/A impact rather than full database control.

detect

Enables monitoring of application and database query patterns to identify anomalous SQL syntax originating from the searchWord argument.

References