SQL Injection and Command Injection Vulnerabilities in Times Software E-Payroll
CVE-2025-9977

5.3MEDIUM

Key Information:

Vendor: Times Software
Status: E-payroll
Vendor: CVE Published:; 18 November 2025

🔔 Create Times Software Vulnerability Alert

What is CVE-2025-9977?

A vulnerability in Times Software E-Payroll arises from inadequate sanitization of POST parameters during user login processes. This flaw can enable unauthenticated attackers to execute Denial of Service (DoS) operations. Furthermore, SQL injection attacks may also be viable, although the creation of a functional exploit has been hindered by existing backend filtering systems. Attempts to leverage command injection could reveal detailed error messages, inadvertently exposing sensitive information about the application’s internal architecture. The patching status remains uncertain as the vendor has not responded to outreach efforts.

Affected Version(s)

E-Payroll 0 <= 20250121.0

References

https://cert.pl/en/posts/2025/11/CVE-2025-9977

third-party-advisory

https://www.timesoftsg.com.sg/payroll-software/

product

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2025
Vulnerability Reserved
Sep 4, 2025

Credit

Sebastian Jeż

JSON