Skip to main content
CVE Vulnerability Database

CVE-2025-6267: Zhilink ADP Platform SQLi Vulnerability

CVE-2025-6267 is a critical SQL injection vulnerability in Zhilink ADP Application Developer Platform 1.0.0 that enables remote attackers to execute malicious database queries. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-6267 Overview

CVE-2025-6267 is a SQL injection vulnerability in Zhilink ADP Application Developer Platform 1.0.0. The flaw affects unknown processing in the /adpweb/a/base/barcodeDetail/ endpoint. Attackers manipulate the barcodeNo, barcode, or itemNo parameters to inject arbitrary SQL statements. The attack can be initiated remotely and requires low-privilege authentication. The vendor was contacted prior to public disclosure but did not respond, leaving deployments without an official patch.

Critical Impact

Authenticated remote attackers can inject SQL via the barcodeDetail endpoint to read, modify, or delete backend database content in Zhilink ADP 1.0.0. No vendor patch is available.

Affected Products

  • Zhilink ADP Application Developer Platform 1.0.0
  • Component: /adpweb/a/base/barcodeDetail/ endpoint
  • Vulnerable parameters: barcodeNo, barcode, itemNo

Discovery Timeline

  • 2025-06-19 - CVE-2025-6267 published to NVD
  • 2025-10-09 - Last updated in NVD database

Technical Details for CVE-2025-6267

Vulnerability Analysis

The vulnerability is a classic SQL injection flaw classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command) and [CWE-74] (Improper Neutralization of Special Elements in Output). The defective code path resides at /adpweb/a/base/barcodeDetail/, where the application concatenates user-supplied input into SQL queries without parameterization or sanitization.

Three parameters are confirmed as injection sinks: barcodeNo, barcode, and itemNo. An attacker submits crafted values through HTTP requests to this endpoint and the backend executes the attacker-controlled SQL fragment. Because the platform is an application developer platform, exposed databases may contain source code metadata, credentials, and customer data.

The EPSS score is 0.127% with a percentile of 31.5, indicating low observed exploitation likelihood at this time. However, public disclosure on VulDB increases the probability of opportunistic scanning.

Root Cause

The root cause is the absence of prepared statements or input validation when handling the barcodeNo, barcode, and itemNo request parameters. The application embeds these values directly into SQL query strings, allowing standard injection techniques such as UNION-based extraction, boolean blind injection, and time-based blind injection.

Attack Vector

The attack vector is network-based and requires low-level authentication to the ADP web interface. An attacker sends an HTTP request to /adpweb/a/base/barcodeDetail/ with malicious payload values in one of the affected parameters. No user interaction is required. The vulnerability mechanism follows the standard pattern of unsanitized parameter concatenation; detailed proof-of-concept payload structures are referenced in the VulDB Submission #586697.

Detection Methods for CVE-2025-6267

Indicators of Compromise

  • HTTP requests to /adpweb/a/base/barcodeDetail/ containing SQL meta-characters such as single quotes, UNION SELECT, SLEEP(, or -- in barcodeNo, barcode, or itemNo parameters.
  • Database error messages returned in HTTP responses from the ADP web application.
  • Anomalous query patterns or long-running queries originating from the ADP application's database user.

Detection Strategies

  • Deploy web application firewall (WAF) signatures that inspect barcodeDetail requests for SQL injection patterns and tautology-based payloads.
  • Enable verbose database query logging on the backend to correlate unusual queries with barcodeDetail HTTP access logs.
  • Hunt for repeated 500-series HTTP responses on the affected endpoint, which indicate active probing.

Monitoring Recommendations

  • Forward ADP web server access logs and database logs to a centralized SIEM for correlation analysis.
  • Alert on outbound database connections from the ADP host to unexpected destinations, which may indicate data exfiltration.
  • Monitor for authentication anomalies on the ADP platform, since exploitation requires low-privileged credentials.

How to Mitigate CVE-2025-6267

Immediate Actions Required

  • Restrict network access to the ADP web interface using firewall rules or reverse proxy allow-lists until the vendor releases a patch.
  • Audit all accounts on the ADP platform and disable unused or default credentials to reduce the authenticated attack surface.
  • Deploy a WAF in blocking mode in front of /adpweb/a/base/barcodeDetail/ with strict SQL injection rule sets.

Patch Information

No vendor patch is available. According to the disclosure, Zhilink (智互联(深圳)科技有限公司) was contacted before public release but did not respond. Organizations running ADP Application Developer Platform 1.0.0 should treat the deployment as unsupported and consider migration. Refer to VulDB Entry #313271 for ongoing tracking.

Workarounds

  • Place the application behind a WAF or reverse proxy that enforces parameter type validation for barcodeNo, barcode, and itemNo.
  • Apply database-level least privilege so the ADP service account cannot read sensitive tables, write data, or execute administrative functions.
  • Isolate the ADP host in a segmented network zone with strict egress filtering to limit data exfiltration paths.
  • Increase monitoring frequency on the affected endpoint until the application is retired or replaced.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.