CVE-2026-1122 in KSOA
Summary
by MITRE • 01/18/2026
A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2026-1122 represents a critical sql injection flaw within the Yonyou KSOA 9.0 enterprise software platform. This security weakness resides in the HTTP GET parameter handler component, specifically within the /worksheet/work_info.jsp file which processes incoming web requests. The vulnerability manifests when an attacker manipulates the ID parameter in the http get request, allowing malicious sql commands to be executed against the underlying database. This type of vulnerability falls under CWE-89 which categorizes sql injection attacks as a fundamental web application security flaw that enables unauthorized data access and manipulation.
The technical exploitation of this vulnerability occurs through remote attack vectors, meaning an attacker can leverage this flaw without requiring physical access to the target system. The attack surface is particularly concerning as it involves the http get parameter handler, which is a common entry point for web-based attacks and typically processes user input without adequate sanitization or validation. The fact that this exploit has been publicly disclosed and is actively being utilized by threat actors significantly increases the risk profile of affected organizations. The vulnerability's impact extends beyond simple data theft as sql injection attacks can enable complete database compromise, allowing attackers to execute administrative commands, extract sensitive information, modify business data, or even establish persistent backdoors within the target environment.
Organizations running Yonyou KSOA 9.0 software face substantial operational risks from this vulnerability, particularly given the widespread adoption of enterprise resource planning systems in business environments. The remote exploit capability means that attackers can target these systems from anywhere on the internet, potentially affecting multiple organizations simultaneously. This vulnerability aligns with attack patterns documented in the mitre att&ck framework under the initial access and execution phases, where attackers leverage web application vulnerabilities to establish footholds within target networks. The lack of vendor response to early disclosure attempts compounds the security risk, leaving affected organizations without official patches or mitigation guidance during an active exploitation period. The business impact includes potential regulatory compliance violations, financial losses from data breaches, operational disruption, and damage to organizational reputation.
Effective mitigation strategies for this vulnerability must be implemented immediately given the public disclosure status. Organizations should deploy web application firewalls to filter malicious requests targeting the affected parameter, implement strict input validation on all http get parameters, and apply rate limiting to prevent automated exploitation attempts. The most critical remediation step involves applying the vendor's official patch or workaround as soon as it becomes available, though the delayed vendor response creates an urgent need for temporary defensive measures. Network segmentation and privileged access controls should be strengthened to limit potential lateral movement if exploitation occurs. Additionally, comprehensive monitoring should be implemented to detect unusual database access patterns or sql query executions that may indicate exploitation attempts. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other components of the enterprise software stack, while incident response procedures must be updated to address sql injection attack scenarios specifically.