CVE-2025-15424: Yonyou KSOA SQL Injection Vulnerability

CVE-2025-15424 Overview

A SQL injection vulnerability has been identified in Yonyou KSOA (Knowledge Service-Oriented Architecture) version 9.0. The vulnerability exists in the /worksheet/agent_worksdel.jsp file within the HTTP GET Parameter Handler component. Attackers can exploit this flaw by manipulating the ID argument to inject malicious SQL statements, potentially compromising the underlying database. This vulnerability is remotely exploitable, and a public proof-of-concept exploit has been disclosed. The vendor was contacted about this disclosure but did not respond.

Critical Impact
Remote SQL injection vulnerability allowing unauthenticated attackers to manipulate database queries through the ID parameter in agent_worksdel.jsp, potentially leading to unauthorized data access, modification, or deletion.

Affected Products

Yonyou KSOA 9.0
Yonyou Space-Time Enterprise Information Integration Platform (KSOA)

Discovery Timeline

2026-01-02 - CVE-2025-15424 published to NVD
2026-01-05 - Last updated in NVD database

Technical Details for CVE-2025-15424

Vulnerability Analysis

This SQL injection vulnerability (classified under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) affects the worksheet functionality within Yonyou KSOA 9.0. The vulnerable endpoint agent_worksdel.jsp fails to properly sanitize the ID parameter received via HTTP GET requests before incorporating it into database queries.

The vulnerability enables network-based attacks without requiring authentication or user interaction. An attacker can craft malicious HTTP GET requests containing SQL injection payloads in the ID parameter. The application directly concatenates user input into SQL queries without proper parameterization or input validation, allowing attackers to execute arbitrary SQL commands against the backend database.

Root Cause

The root cause is improper input validation and lack of parameterized queries in the agent_worksdel.jsp file. The application accepts the ID parameter from HTTP GET requests and constructs SQL queries through string concatenation rather than using prepared statements or proper input sanitization. This classic injection flaw allows attacker-controlled data to alter the intended SQL query structure.

Attack Vector

The attack is conducted remotely over the network by sending crafted HTTP GET requests to the vulnerable endpoint. The attacker targets the /worksheet/agent_worksdel.jsp endpoint and injects SQL payloads through the ID parameter. No authentication is required to exploit this vulnerability, making it accessible to any attacker who can reach the web application.

The exploitation pattern typically involves appending SQL metacharacters and commands to the ID parameter value, which breaks out of the intended query context and allows execution of attacker-supplied SQL statements. Technical details and proof-of-concept information are available in the GitHub SQL Injection PoC documentation.

Detection Methods for CVE-2025-15424

Indicators of Compromise

HTTP GET requests to /worksheet/agent_worksdel.jsp containing SQL metacharacters (single quotes, double dashes, semicolons, UNION keywords) in the ID parameter
Unusual database query patterns or errors logged by the application server
Unexpected data extraction or database enumeration activity originating from web application queries
Access logs showing repeated requests to the vulnerable endpoint with varying payloads

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block SQL injection patterns targeting the ID parameter
Enable verbose logging on the application server to capture all requests to agent_worksdel.jsp
Implement database activity monitoring to detect anomalous query patterns or unauthorized data access
Configure intrusion detection systems (IDS) with signatures for common SQL injection attack patterns

Monitoring Recommendations

Monitor HTTP access logs for requests to /worksheet/agent_worksdel.jsp with suspicious parameter values
Enable database audit logging to track all queries executed against the backend database
Set up alerts for SQL error messages appearing in application logs, which may indicate injection attempts
Review network traffic for unusual outbound data transfers that could indicate successful data exfiltration

How to Mitigate CVE-2025-15424

Immediate Actions Required

Restrict network access to the Yonyou KSOA application to trusted IP addresses only
Deploy WAF rules to block SQL injection attempts targeting the vulnerable endpoint
If possible, temporarily disable or remove access to the agent_worksdel.jsp file until a patch is available
Implement input validation at the network perimeter to filter malicious requests

Patch Information

No official patch information is currently available from Yonyou. The vendor was contacted about this vulnerability disclosure but did not respond. Organizations should monitor the vendor's official channels for security updates and apply patches as soon as they become available. Additional technical details can be found in the VulDB entry.

Workarounds

Implement network segmentation to limit access to the KSOA application from untrusted networks
Deploy a web application firewall with SQL injection protection rules in front of the vulnerable application
Apply input validation at the application or reverse proxy level to sanitize the ID parameter before it reaches the application
Consider removing or renaming the vulnerable JSP file if the worksheet deletion functionality is not business-critical

bash

# Example WAF rule to block SQL injection in ID parameter (ModSecurity format)
SecRule ARGS:ID "@detectSQLi" \
    "id:100001,\
    phase:2,\
    block,\
    msg:'SQL Injection attempt detected in ID parameter',\
    logdata:'Matched Data: %{MATCHED_VAR}',\
    severity:'CRITICAL',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'attack-sqli'"