CVE-2025-15492
Published: 09 January 2026
Summary
CVE-2025-15492 is a medium-severity Injection (CWE-74) vulnerability in Docsys Project Docsys. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-15492 is a SQL injection vulnerability affecting RainyGao DocSys versions up to 2.02.36. The issue resides in an unknown function within the file src/com/DocSystem/mapping/GroupMemberMapper.xml, where manipulation of the searchWord argument enables injection. This flaw, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L), requiring no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via crafted SQL payloads in the searchWord parameter.
Advisories from VulDB (ctiid.340270, id.340270) and a public GitHub repository detail the vulnerability analysis, reproduction steps, and proof-of-concept exploit. No patches or vendor responses are available, as the developer was contacted early but did not reply.
The exploit is public and may be actively used, increasing risks for exposed DocSys instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1729
Vulnerability details
A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely.…
more
The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in a web application (DocSys) enables exploitation of public-facing apps per T1190; limited DB manipulation impacts do not map to other techniques like command execution or credential dumping.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input such as the searchWord parameter before it reaches the SQL statement in GroupMemberMapper.xml.
Restricts the privileges of authenticated users so that a successful searchWord injection yields only limited C/I/A impact rather than full database control.
Enables monitoring of application and database query patterns to identify anomalous SQL syntax originating from the searchWord argument.