SQL Injection Vulnerability in Leiyuxi Cy-Fast Web Application
CVE-2025-0334

5.3MEDIUM

Key Information:

Vendor
Leiyuxi
Status
Cy-fast
Vendor
CVE Published:
9 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in Leiyuxi Cy-Fast version 1.0, specifically in the listData function located in the /sys/user/listData file. This vulnerability arises due to inadequate validation of input parameters, allowing attackers to manipulate the order of arguments. As a result, it opens the door to SQL injection attacks that can be executed remotely. This security flaw poses a significant risk as it can compromise the application's database integrity and expose sensitive data.

Affected Version(s)

cy-fast 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0334 - Proof of Concept

References

https://vuldb.com/?id.290821
vdb-entrytechnical-description
https://vuldb.com/?ctiid.290821
signaturepermissions-required
https://vuldb.com/?submit.475302
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wu Wenhao
Yin Lingyun
d3do (VulDB User)
.