CVE-2025-1832
Published: 02 March 2025
Summary
CVE-2025-1832 is a medium-severity Injection (CWE-74) vulnerability in Zframeworks Zz. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by validating the roleid input parameter for syntax and semantics before its use in database queries.
SI-9 restricts the roleid argument at the application interface to block malicious inputs containing SQL injection payloads.
SI-2 requires identification, reporting, and correction of the specific SQL injection flaw in the getUserList function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (ZroleAction.java getUserList via roleid) enables initial access via exploitation of public-facing application (T1190), collection from databases (T1213.006), and server software component abuse (T1505 as noted in advisory).
NVD Description
A vulnerability classified as critical was found in zj1983 zz up to 2024-8. Affected by this vulnerability is the function getUserList of the file src/main/java/com/futvan/z/system/zrole/ZroleAction.java. The manipulation of the argument roleid leads to sql injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1832 is a SQL injection vulnerability affecting the zj1983 zz application up to version 2024-8. The issue resides in the getUserList function within the file src/main/java/com/futvan/z/system/zrole/ZroleAction.java, where manipulation of the roleid argument enables injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-02.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L). By crafting malicious input for the roleid parameter, the attacker can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service within the application's database.
Advisories from VulDB and GitHub repositories detail the vulnerability but report no vendor response or patches, as the developer was contacted early without reply. The exploit has been publicly disclosed, including proof-of-concept details in Chinese-language Markdown files targeting the zz 2024-8-4 backend.
In notable context, no evidence of active real-world exploitation is mentioned, and the issue has no apparent relevance to AI/ML components.
Details
- CWE(s)