cbcvebase.
CVE-2025-34038
published 2025-06-24

CVE-2025-34038: A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.84%
76.3th percentile
A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Affected

8 ranges
VendorProductVersion rangeFixed in
msrcazl3_etcd_3.5.9-1_on_azure_linux_3.0
msrcazl3_kubernetes_1.28.7-2_on_azure_linux_3.0
msrcazl3_moby-engine_25.0.3-13_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
weavere-cology<= 8.0

Detection & IOCsextracted from sources · hover to see the quote

url/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select+547653*865674+as+id
path/js/hrm/getdata.jsp
  • Detect exploitation attempts by monitoring GET requests to /js/hrm/getdata.jsp with the parameter cmd=getSelectAllId and a user-supplied sql= parameter value.
  • A numeric multiplication canary (547653*865674) is used in the PoC payload; the response body containing '474088963122' confirms successful SQL injection execution.
  • The vulnerability is exploitable by unauthenticated attackers; no session or authentication token is required. Alert on any unauthenticated access to getdata.jsp with a sql= query parameter.
  • Active exploitation in the wild was confirmed by the Shadowserver Foundation on 2025-02-05 UTC; treat any hits on this endpoint as high-priority.
  • Use the FOFA fingerprint 'app="泛微-协同办公OA"' to identify internet-exposed Fanwei e-cology OA instances for proactive asset discovery and patching prioritization.
  • ·The vulnerability is specific to Fanwei e-cology version 8.0; other versions may or may not be affected and should be tested independently.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.