CVE-2025-15446 Enables Remote SQL Injection in Seeyon Zhiyuan OA System
Public exploit available; remote attackers can abuse vulnerable endpoints
Security researchers have disclosed CVE-2025-15446, a SQL injection vulnerability affecting the Seeyon Zhiyuan OA Web Application System up to version 20251223.
The vulnerability resides in a backend function handling asset group reporting. Attackers can manipulate the unitCode parameter to inject malicious SQL queries. Because the application does not properly sanitize input, the flaw allows remote exploitation without authentication.
The exploit code is publicly available. The vendor did not respond during the responsible disclosure process. As a result, exposed systems face immediate risk.
Exploitation Details
Attackers can trigger the vulnerability through crafted requests to the affected asset reporting endpoint. Since the attack requires no credentials and minimal effort, automated scanning and exploitation are highly likely.
The flaw allows attackers to interact directly with backend databases. This access can enable data theft, modification, or further compromise of connected systems.
Risk Assessment
- CVSS v2 Score: 7.5 (High)
- CVSS v3.1 Score: 7.3 (High)
- CVSS v4.0 Score: 6.9 (Medium)
Although the latest CVSS version rates the issue as medium, the availability of a working exploit significantly increases real-world impact.
Potential Impact
Successful exploitation may allow attackers to:
- Extract sensitive enterprise data
- Modify or delete records
- Enumerate database structures
- Use compromised systems as entry points for lateral movement
Organizations running internet-facing OA systems face the highest exposure.
Related Malicious Infrastructure Observed
Threat intelligence monitoring also flags the IP address 210.79.142.221 as confirmed malicious, with a 100% abuse confidence score.
Malicious IP Summary
- IP Address: 210.79.142.221
- Total Abuse Reports: 35,233
- Distinct Reporting Sources: 1,432
- ASN: AS141607
- ISP: PT Cakrawala Link Nusantara
- Usage Type: Fixed Line ISP
- Location: Indonesia
- Activity Status: Active (reported minutes ago)
This IP shows long-term malicious behavior consistent with scanning, exploit probing, and automated attack activity. While no direct linkage to this CVE is confirmed, the behavior aligns with reconnaissance targeting vulnerable web applications.
Key Risk
- Public exploit lowers the barrier to attack
- OA platforms often contain sensitive enterprise data
- SQL injection enables deep backend compromise
- Known malicious IPs actively scan for exposed services
Recommended Defensive Actions
- Patch Seeyon Zhiyuan OA systems immediately
- Restrict external access to OA web interfaces
- Deploy WAF rules to block SQL injection patterns
- Block 210.79.142.221 across security controls
- Review logs for suspicious asset report queries
- Monitor database activity for anomalies