CVE-2025-14190 Overview
A SQL injection vulnerability has been discovered in Chanjet TPlus, an enterprise resource planning (ERP) software widely used for business management and accounting. The flaw exists in the /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx endpoint, specifically in the Load method where the currentAccId parameter is vulnerable to SQL injection attacks. This vulnerability allows remote attackers to manipulate database queries by injecting malicious SQL code, potentially leading to unauthorized data access, modification, or deletion.
Critical Impact
Remote attackers can exploit this SQL injection flaw to extract sensitive business data, modify financial records, or compromise the integrity of the entire TPlus database without authentication.
Affected Products
- Chanjet TPlus versions up to 20251121
- /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx endpoint
- Systems exposing TPlus web interface to network access
Discovery Timeline
- 2025-12-07 - CVE-2025-14190 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-14190
Vulnerability Analysis
This vulnerability falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses injection vulnerabilities including SQL injection. The affected component is the MultiCompanySettingController AJAX handler in the TPlus web application, specifically the Load method that processes the currentAccId parameter.
The vulnerability allows attackers to inject arbitrary SQL statements through the currentAccId parameter. When the application processes this parameter, it fails to properly sanitize or parameterize user input before incorporating it into SQL queries. This enables attackers to manipulate the query structure, potentially bypassing authentication checks, extracting sensitive data, or modifying database contents.
The exploit has been publicly disclosed and proof-of-concept code is available, increasing the risk of exploitation in the wild. The vendor (Chanjet) was contacted about this disclosure but did not respond, leaving affected systems without an official patch.
Root Cause
The root cause of this vulnerability is improper input validation in the Load method of the MultiCompanySettingController class. The currentAccId parameter is directly concatenated into SQL queries without proper sanitization, prepared statements, or parameterized queries. This classic SQL injection pattern allows attackers to break out of the intended query context and execute arbitrary SQL commands against the backend database.
Attack Vector
The attack can be initiated remotely over the network without requiring authentication. An attacker sends a crafted HTTP request to the vulnerable AJAX endpoint with a malicious currentAccId parameter containing SQL injection payloads.
The exploitation flow involves:
- Identifying a Chanjet TPlus instance exposed to the network
- Crafting a malicious request to the /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx endpoint
- Injecting SQL payloads through the currentAccId parameter in the method=Load request
- Extracting data or manipulating the database based on the injected queries
For technical details and proof-of-concept information, refer to the GitHub Issue Tracker where the vulnerability disclosure is documented.
Detection Methods for CVE-2025-14190
Indicators of Compromise
- Unusual HTTP requests to /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx containing SQL syntax in parameters
- Database error messages in application logs indicating malformed SQL queries
- Unexpected data extraction patterns or bulk data access from the TPlus database
- Web server logs showing requests with encoded SQL injection characters (%27, %22, UNION, SELECT, etc.) in the currentAccId parameter
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block SQL injection patterns in requests to TPlus AJAX endpoints
- Configure intrusion detection systems (IDS) to alert on suspicious parameter values containing SQL keywords
- Enable detailed logging for the TPlus application and monitor for database query anomalies
- Implement database activity monitoring to detect unusual query patterns or unauthorized data access
Monitoring Recommendations
- Monitor network traffic for requests to the vulnerable endpoint with abnormal parameter lengths or SQL-related characters
- Set up alerts for database errors that may indicate failed SQL injection attempts
- Review authentication and access logs for the TPlus application regularly
- Track any changes to critical database tables that may indicate successful exploitation
How to Mitigate CVE-2025-14190
Immediate Actions Required
- Restrict network access to the TPlus web interface using firewall rules, limiting access to trusted IP addresses only
- Implement a web application firewall (WAF) with SQL injection protection rules in front of the TPlus application
- Consider taking the vulnerable endpoint offline if it is not critical to business operations
- Conduct a security assessment to determine if the vulnerability has already been exploited
Patch Information
As of the last update, the vendor (Chanjet) has not responded to the vulnerability disclosure and no official patch is available. Organizations should monitor VulDB and vendor channels for any future security updates. The vulnerability affects Chanjet TPlus versions up to 20251121.
Workarounds
- Deploy input validation at the network edge using a WAF configured to block requests containing SQL injection patterns in the currentAccId parameter
- Implement network segmentation to isolate the TPlus server from untrusted networks
- Use virtual patching through security appliances to filter malicious requests before they reach the application
- If source code access is available, implement parameterized queries or prepared statements for the vulnerable Load method
# Example WAF rule to block SQL injection attempts on the vulnerable endpoint
# ModSecurity rule example
SecRule REQUEST_URI "@contains MultiCompanySettingController" \
"id:1001,phase:2,deny,status:403,log,msg:'Potential SQL injection in TPlus',\
chain"
SecRule ARGS:currentAccId "@detectSQLi" \
"setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
