CVE-2025-7343
Published: 21 July 2025
Summary
CVE-2025-7343 is a critical-severity SQL Injection (CWE-89) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-7343 is a SQL injection vulnerability (CWE-89) in the SFT software developed by Digiwin. Published on 2025-07-21, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. The flaw enables unauthenticated remote attackers to inject arbitrary SQL commands into the application.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows them to read, modify, and delete database contents, resulting in high impacts to confidentiality, integrity, and availability.
Advisories from Digiwin and TWCERT/CC provide further details on the issue, available at https://www.digiwin.com/tw/news/3568.html, https://www.twcert.org.tw/en/cp-139-10271-25ea9-2.html, and https://www.twcert.org.tw/tw/cp-132-10270-83d95-1.html. Security practitioners should consult these for mitigation guidance and patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22055
Vulnerability details
The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in a public-facing application enables initial access via exploitation of the exposed service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation and sanitization of user inputs before they are used in database queries.
Addresses the specific SQL injection flaw in the SFT software by mandating timely patching and remediation as advised by Digiwin.
Enables monitoring of system and database activity to detect anomalous queries or access patterns indicative of SQL injection exploitation.