CVE-2025-22957
Published: 31 January 2025
Summary
CVE-2025-22957 is a critical-severity SQL Injection (CWE-89) vulnerability in Zzcms Zzcms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22957 is a SQL injection vulnerability (CWE-89) present in the front-end of websites built with ZZCMS versions <= 2023. Published on 2025-01-31, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by unauthenticated remote attackers via the website's front-end without requiring privileges or user interaction. Exploitation involves injecting malicious SQL payloads, potentially enabling unauthorized database access and extraction of sensitive information.
Mitigation guidance and additional details are available in advisories referenced at the vendor site http://www.zzcms.net/ and the vulnerability report https://github.com/youyouiooi/vulnerability-reports/blob/main/CVE-2025-22957/REANDE.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3053
Vulnerability details
A SQL injection vulnerability exists in the front-end of the website in ZZCMS <= 2023, which can be exploited without any authentication. This vulnerability could potentially allow attackers to gain unauthorized access to the database and extract sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing ZZCMS web application enables exploitation of a public-facing application (T1190) and unauthorized access to extract data from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating all front-end user inputs against malicious SQL payloads before database processing.
Mandates timely remediation of the specific SQL injection flaw in ZZCMS through patching or upgrades to eliminate the vulnerability.
Enforces restrictions on input types, formats, and content to block oversized or malformed SQL injection attempts at the front-end.