Cyber Resilience

CVE-2025-22957

CriticalPublic PoC

Published: 31 January 2025

Published
31 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22957 is a critical-severity SQL Injection (CWE-89) vulnerability in Zzcms Zzcms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22957 is a SQL injection vulnerability (CWE-89) present in the front-end of websites built with ZZCMS versions <= 2023. Published on 2025-01-31, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated remote attackers via the website's front-end without requiring privileges or user interaction. Exploitation involves injecting malicious SQL payloads, potentially enabling unauthorized database access and extraction of sensitive information.

Mitigation guidance and additional details are available in advisories referenced at the vendor site http://www.zzcms.net/ and the vulnerability report https://github.com/youyouiooi/vulnerability-reports/blob/main/CVE-2025-22957/REANDE.md.

EU & UK References

Vulnerability details

A SQL injection vulnerability exists in the front-end of the website in ZZCMS <= 2023, which can be exploited without any authentication. This vulnerability could potentially allow attackers to gain unauthorized access to the database and extract sensitive information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The unauthenticated SQL injection vulnerability in the public-facing ZZCMS web application enables exploitation of a public-facing application (T1190) and unauthorized access to extract data from databases (T1213.006).

CVEs Like This One

CVE-2025-0565Same product: Zzcms Zzcms
CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89

Affected Assets

zzcms
zzcms
≤ 2023

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating all front-end user inputs against malicious SQL payloads before database processing.

prevent

Mandates timely remediation of the specific SQL injection flaw in ZZCMS through patching or upgrades to eliminate the vulnerability.

prevent

Enforces restrictions on input types, formats, and content to block oversized or malformed SQL injection attempts at the front-end.

References