A Critical SQL Injection Vulnerability in Baiyi Cloud Asset Management System
CVE-2025-1464 is a critical vulnerability discovered in the Baiyi Cloud Asset Management System, affecting versions up to 20250204. This vulnerability allows for SQL injection attacks by manipulating the project_id argument in the /wuser/admin.house.collect.php file. The exploit is publicly available and can be initiated remotely without requiring authentication.
: Critical
: SQL Injection
:
/wuser/admin.house.collect.php:
project_id: Confidentiality, Integrity, and Availability (CIA) are compromised due to the ability to manipulate SQL queries.
:
: Up to 7.5 (High Severity)
: AV:N/AC:L/Au:N/C:P/I:P/A:P (Network Attack Vector, Low Attack Complexity, No Authentication Required)
: 10.0
: 6.4
The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). These classifications highlight the failure to properly sanitize user input, allowing malicious SQL commands to be executed.
: Remote exploitation is possible without authentication, making it highly accessible to attackers.
: The exploit is publicly available and has been disclosed on platforms like GitHub.
: Despite early notification, the vendor has not responded or provided any patches or mitigations.
: Unauthorized Data Access
: An attacker discovers a Baiyi Cloud Asset Management System instance vulnerable to CVE-2025-1464.
: The attacker crafts a malicious SQL query by manipulating the
project_idparameter in the/wuser/admin.house.collect.phpfile.: The attacker injects SQL code to extract sensitive data or modify database records.
: The attacker gains unauthorized access to confidential data, potentially leading to data breaches or system compromise.
Given the lack of official patches or responses from the vendor, users are advised to consider the following:
: Consider replacing the affected system with a more secure alternative.
: Implement robust monitoring and detection systems to identify potential SQL injection attempts.
: Ensure that any user input is thoroughly validated and sanitized to prevent similar vulnerabilities.
Conclusion
CVE-2025-1464 poses a significant risk to organizations using the Baiyi Cloud Asset Management System due to its ease of exploitation and potential for severe data breaches. Immediate action is necessary to protect against this vulnerability, including seeking alternative solutions or implementing robust security measures.