CVE-2025-0392: Huayi-tec Jeewms SQLi Vulnerability

CVE-2025-0392 Overview

CVE-2025-0392 is a SQL injection vulnerability in Guangzhou Huayi Intelligent Technology Jeewms through version 20241229. The flaw resides in the datagridGraph function of the /graphReportController.do endpoint. Attackers manipulate the store_code request parameter to inject arbitrary SQL into backend database queries. The vulnerability is remotely exploitable over the network and requires low-privilege authentication. Public disclosure of the exploit details has occurred, increasing the likelihood of opportunistic exploitation against exposed Jeewms warehouse management deployments. The vendor has released version 20250101 to address the issue.

Critical Impact
Authenticated remote attackers can execute arbitrary SQL queries against the Jeewms database through the store_code parameter, potentially exposing warehouse, inventory, and operational data.

Affected Products

Guangzhou Huayi Intelligent Technology Jeewms versions up to and including 20241229
Component: /graphReportController.do (datagridGraph function)
Fixed in Jeewms version 20250101

Discovery Timeline

2025-01-11 - CVE-2025-0392 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-0392

Vulnerability Analysis

The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Jeewms exposes a reporting endpoint at /graphReportController.do that invokes the datagridGraph function to render graph data. The store_code request parameter is concatenated into a SQL statement without proper sanitization or parameterized query binding. An authenticated attacker can submit crafted input containing SQL metacharacters to alter query logic, extract data, or enumerate database structure. The EPSS score is 0.625% with a percentile of 45.238, indicating moderate near-term exploitation probability. Public disclosure through the Gitee issue tracker has made exploitation details widely accessible.

Root Cause

The root cause is the lack of input validation and the absence of prepared statements when processing the store_code parameter inside datagridGraph. User-supplied data flows directly into a dynamically constructed SQL query, allowing attacker-controlled fragments to be parsed as SQL syntax rather than as literal data values.

Attack Vector

An attacker with valid low-privilege credentials sends an HTTP request to /graphReportController.do invoking the datagridGraph action. The attacker appends SQL injection payloads — such as UNION-based statements, boolean conditions, or time-based blind injection probes — to the store_code parameter. The backend executes the modified query, returning sensitive data or revealing query behavior through response timing. No user interaction is required, and the attack is performed remotely over the network.

The vulnerability is described in prose only; no verified proof-of-concept code is available. Refer to the Gitee Issue Tracker Post and VulDB #291126 for additional technical context.

Detection Methods for CVE-2025-0392

Indicators of Compromise

HTTP requests to /graphReportController.do containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( within the store_code parameter.
Web server access logs showing unusually long store_code values or URL-encoded SQL keywords from a single source IP.
Database error messages or syntax exceptions correlated with reporting endpoint traffic.

Detection Strategies

Deploy web application firewall (WAF) rules to inspect query and body parameters submitted to /graphReportController.do for SQL injection signatures.
Enable database query auditing to capture statements referencing the reporting tables with anomalous predicates or UNION clauses.
Correlate authentication logs with reporting endpoint access patterns to identify low-privilege accounts performing reconnaissance-like queries.

Monitoring Recommendations

Forward Jeewms application logs and database audit logs to a centralized SIEM for retention and correlation.
Alert on repeated 500-class server responses originating from the reporting controller, which often indicate injection probing.
Monitor outbound database traffic for unexpected large result sets returned to the application tier following requests to datagridGraph.

How to Mitigate CVE-2025-0392

Immediate Actions Required

Upgrade Jeewms to version 20250101 or later, which contains the vendor fix for the store_code parameter handling.
Restrict access to /graphReportController.do to trusted internal networks until patching is complete.
Audit application accounts and rotate credentials for any low-privilege users that may have been used for exploitation attempts.

Patch Information

Guangzhou Huayi Intelligent Technology released Jeewms version 20250101 to remediate CVE-2025-0392. Administrators should download the updated release and apply it according to vendor upgrade procedures. Patch references are available through the Gitee Issue Tracker Post and the VulDB CTI #291126 advisory.

Workarounds

Place a WAF in front of Jeewms with strict SQL injection rules covering the store_code parameter on the datagridGraph action.
Limit database account privileges used by the Jeewms application to the minimum required for normal operation, reducing the impact of successful injection.
Disable or block the reporting endpoint at the reverse proxy until the upgrade to 20250101 is deployed.

bash

# Example nginx rule to block obvious SQL injection patterns on the affected endpoint
location /graphReportController.do {
    if ($args ~* "(union.*select|sleep\(|--|';|/\*)") {
        return 403;
    }
    proxy_pass http://jeewms_backend;
}