CVE-2025-15420: Critical Unauthenticated SQL Injection in Yonyou KSOA Allows Full Database Compromise

Aegiron 7 mins0

Vulnerability Overview

  • CVE ID: CVE-2025-15420
  • Product: Yonyou KSOA
  • Affected Version: 9.0
  • Vulnerability Type: SQL Injection
  • Affected Endpoint: /worksheet/agent_work_report.jsp
  • Attack Vector: Network (Remote)
  • Authentication Required: No
  • User Interaction: None

Severity & Risk Rating

  • CVSS v3.1 Score: 9.8 (Critical)
  • Severity: Critical
  • Exploitability: High
  • Impact: Full database compromise, data leakage, possible system takeover

This vulnerability is considered high risk due to ease of exploitation and the business-critical nature of the affected platform.

Exploit Status

  • Exploit Availability: Publicly disclosed
  • Proof-of-Concept (PoC): Exists
  • Active Exploitation: Possible and likely
  • Vendor Response: No public advisory issued at the time of disclosure

Technical Description

CVE-2025-15420 is caused by improper input validation in the JSP endpoint:

/worksheet/agent_work_report.jsp

The application accepts an HTTP parameter named ID and directly inserts it into backend SQL queries without sanitization or parameterization. This allows attackers to inject arbitrary SQL commands that are executed by the database.

Because the endpoint is publicly accessible and does not enforce authentication, the vulnerability can be exploited by any remote attacker.

Root Cause Analysis

  • Unsanitized user input
  • Dynamic SQL query construction
  • Absence of prepared statements
  • Lack of access control on sensitive JSP endpoints

How the Vulnerability Can Be Exploited

Attack Conditions

  • Internet or internal network access to the KSOA instance
  • No valid user account required

Attack Flow

  1. Attacker identifies a reachable KSOA server
  2. Sends crafted HTTP requests to the vulnerable JSP
  3. Injects SQL syntax via the ID parameter
  4. Database executes injected SQL
  5. Attacker extracts or manipulates sensitive data

Example Payloads (For Defense & Detection Only)

/worksheet/agent_work_report.jsp?ID=1' OR '1'='1

/worksheet/agent_work_report.jsp?ID=1 UNION SELECT username,password FROM users--

/worksheet/agent_work_report.jsp?ID=1 AND SLEEP(5)

These payloads demonstrate Boolean-based, UNION-based, and time-based SQL injection techniques.

Impact Assessment

Successful exploitation may lead to:

  • Exposure of internal OA data
  • Leakage of employee and business records
  • Theft of credentials stored in the database
  • Unauthorized modification or deletion of records
  • Possible pivoting into connected enterprise systems

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1005 – Data from Local System
  • T1041 – Exfiltration Over Command and Control Channel
  • T1083 – File and Directory Discovery

Detection & Monitoring

Recommended Log Sources

  • Web server access logs
  • Application server logs
  • Database query and slow-query logs
  • WAF logs
  • Reverse proxy logs

Indicators of Compromise

  • SQL keywords in request parameters
  • Non-numeric input in the ID parameter
  • Repeated access to the same JSP endpoint
  • Unexpected database errors in responses
  • Abnormal response delays

WAF Protection Rules

Rule 1 – SQL Keyword Blocking

IF uri CONTAINS "/worksheet/agent_work_report.jsp"
AND parameters MATCH "(?i)(union|select|sleep|benchmark|--|'|or\s+1=1)"
THEN block AND log

Rule 2 – Parameter Validation

IF uri CONTAINS "/worksheet/agent_work_report.jsp"
AND parameter "ID" CONTAINS NON_NUMERIC_CHARACTERS
THEN block AND alert

Rule 3 – Time-Based Injection Detection

IF uri CONTAINS "/worksheet/agent_work_report.jsp"
AND response_time > 5s
AND request CONTAINS ("sleep" OR "benchmark")
THEN block AND alert

SIEM Detection Rules

Rule 1 – SQL Injection Attempt

Trigger when:

  • URI equals /worksheet/agent_work_report.jsp
  • AND request contains SQL operators or comments

Severity: High

Rule 2 – Enumeration Behavior

Trigger when:

  • Same source IP
  • More than 5 requests in 60 seconds
  • Each request uses a different ID value

Severity: Medium → High

Rule 3 – Database Error Correlation

Trigger when:

  • SQL error messages appear in application logs
  • AND request was unauthenticated

Severity: High

Threat Hunting Guidance

Security teams should actively look for:

  • Repeated unauthenticated access to OA endpoints
  • Parameter tampering on legacy JSP files
  • Database performance anomalies linked to web traffic
  • Access from unusual IP ranges or regions

Mitigation Recommendations

Immediate Actions

  • Block external access to the vulnerable endpoint
  • Deploy WAF rules for SQL injection
  • Increase monitoring of database activity

Long-Term Actions

  • Apply vendor security patch
  • Refactor code to use prepared statements
  • Enforce authentication on sensitive endpoints
  • Conduct a full application security review

Official Patch Information

An official fix has been made available through Yonyou’s customer support and update portal.
There is no publicly indexed patch URL, and access is typically provided to licensed customers.

Official Vendor Portal:
https://www.yonyou.com

Organizations should log in to the support section and request the security update for KSOA 9.0 addressing CVE-2025-15420.

Systems that cannot be patched immediately should be isolated from public networks.

Risk Conclusion

CVE-2025-15420 is a critical, remotely exploitable SQL injection vulnerability that poses a serious threat to organizations running Yonyou KSOA 9.0.
Due to public exploit availability and lack of authentication, immediate remediation is strongly recommended.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.