CVE Alert: CVE-2025-12864 - e-Excellence - U-Office Force

CVE-2025-12864

HIGHNo exploitation known

U-Office Force developed by e-Excellence has a SQL Injection vulnerability, allowing authenticated remote attacker to inject arbitrary SQL commands to read, modify, and delete database contents.

CVSS v3.1 (8.8)

AV NETWORK · AC LOW · PR LOW · UI NONE · S UNCHANGED

Vendor

e-Excellence

Product

U-Office Force

Versions

0 lt 29.50

CWE

CWE-89, CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-10T02:15:04.569Z

Updated

2025-11-10T02:15:04.569Z

References

https://www.twcert.org.tw/tw/cp-132-10488-2df22-1.html

https://www.twcert.org.tw/en/cp-139-10489-a5a6d-2.html

AI Summary Analysis

Risk verdict

High risk: a network-exposed SQL injection that requires authenticated access; patch urgently.

Why this matters

The flaw enables an attacker to read, modify, and delete database contents, compromising confidentiality, integrity and potentially availability. With high CVSS scores, the business impact includes data loss, regulatory exposure, and possible service disruption, especially where internet-facing or widely accessible interfaces exist.

Most likely attack path

An authenticated attacker with network access can send crafted input to the vulnerable component, triggering backend SQL commands. The vulnerability has low attack complexity and requires no user interaction, allowing automated exploitation. If the attacker’s database credentials have broader rights, further compromise or lateral movement within the data layer becomes more feasible.

Who is most exposed

Deployments with internet- or externally-accessible interfaces hosting the affected component are most at risk, particularly where database access is not tightly controlled or credentials are broadly shared; environments lacking timely patching are most vulnerable.

Detection ideas

Elevated SQL error messages or database errors in app logs.
Sudden spikes in data-modification or data-exfiltration queries.
Authentication from unusual IPs or credential abuse patterns.
Suspicious input payloads or SQLi-like patterns reaching the backend.
Anomalous data dumps or rapid changes to sensitive records.

Mitigation and prioritisation

Patch to version 29.50 or later and verify deployment in production.
Enforce least-privilege for application DB accounts; rotate credentials.
Use parameterised queries/prepared statements and strict input validation.
Align network controls: restrict access to the vulnerable interface; deploy WAF rules; segment the data tier.
Enable audit logging and real-time monitoring for SQLi indicators; plan a targeted post-patch validation.
If KEV true or EPSS ≥ 0.5, treat as priority 1; data on these metrics is not provided here.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-12864, e-excellence, OSINT, threatintel, u-office-force