CVE-2025-9391 in Zhiyou ERPinfo

Summary

by MITRE • 08/24/2025

A weakness has been identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this issue is the function getFieldValue of the component com.artery.workflow.ServiceImpl. This manipulation of the argument sql causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/12/2025

The vulnerability CVE-2025-9391 represents a critical sql injection flaw within the Bjskzy Zhiyou ERP system version 11.0 and earlier. This weakness exists in the com.artery.workflow.ServiceImpl component where the getFieldValue function processes sql arguments without proper sanitization or validation. The vulnerability stems from the application's failure to adequately filter user-supplied input before incorporating it into sql query constructions, creating an exploitable pathway for malicious actors to manipulate database operations through crafted sql commands.

The technical implementation of this vulnerability demonstrates a classic sql injection vector where the sql parameter passed to the getFieldValue function becomes directly executable within the database context. This flaw operates at the application layer and can be exploited remotely, eliminating the need for local system access or privileged credentials. The vulnerability's classification aligns with CWE-89 which specifically addresses sql injection weaknesses, and the attack pattern corresponds to ATT&CK technique T1190 - Exploit Public-Facing Application, indicating the vulnerability can be leveraged through publicly accessible application interfaces.

The operational impact of this vulnerability extends beyond simple data theft or modification, as it enables attackers to potentially execute arbitrary commands on the database server, access sensitive enterprise data, and compromise the integrity of the entire ERP system. Given that the exploit has been made publicly available and the vendor has not responded to disclosure attempts, the risk exposure is particularly severe as it provides malicious actors with ready-made tools to exploit the system. The vulnerability affects the core workflow functionality of the ERP system, potentially disrupting business operations and creating pathways for data exfiltration, unauthorized access, and system compromise.

Organizations utilizing this ERP system should immediately implement mitigations including input validation, parameterized queries, and access controls to prevent unauthorized database access. The lack of vendor response compounds the risk, making it imperative for affected parties to conduct immediate security assessments and consider alternative solutions while pursuing vendor engagement through multiple channels. Network segmentation and monitoring of sql traffic should be implemented to detect potential exploitation attempts, and all user inputs should be validated against whitelists to prevent malicious sql code execution. The vulnerability highlights the importance of timely vendor communication and the necessity of maintaining up-to-date security patches for enterprise applications.

Responsible

VulDB

Disclosure

08/24/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00377

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!