CVE-2025-0392 - Critical SQL Injection in Guangzhou Huayi Intelligent Technology Jeewms (datagridGraph Function) – Exploit Details & Remediation

---

A new critical vulnerability has been discovered in Guangzhou Huayi Intelligent Technology Jeewms (Warehouse Management System), affecting all versions up to 20241229. If you are running this software, it’s important to address this issue right away, as exploits are available publicly.

Let’s break down what this vulnerability (CVE-2025-0392) is, how attackers can exploit it, and what you should do to stay protected.

Vulnerability: SQL Injection

- Component: datagridGraph function in /graphReportController.do

How Does the Exploit Work?

The vulnerability sits in the datagridGraph function, which handles requests at the endpoint /graphReportController.do. The store_code parameter coming from the user input is not properly sanitized before being passed into dangerous SQL queries.

That means a remote attacker can craft a malicious request, inject their own SQL, and compromise the system—leaking data, modifying it, or escalating privileges.

Let’s look at what the vulnerable code might look like (for illustration)

// Example: Vulnerable code in /graphReportController.do
public void datagridGraph(HttpServletRequest request, HttpServletResponse response) {
    String storeCode = request.getParameter("store_code");
    String sql = "SELECT * FROM warehouse_inventory WHERE store_code = '" + storeCode + "'";
    ResultSet rs = statement.executeQuery(sql);
    // ... process data ...
}

What went wrong?
Here, store_code is directly concatenated into the SQL query string. This allows an attacker to inject arbitrary SQL by tampering with the value.

Let’s say an attacker wants to dump all user data. They can send a GET request like this

GET /jeewms/graphReportController.do?datagridGraph&store_code=123'%20OR%201=1-- 

This would change the SQL query to

SELECT * FROM warehouse_inventory WHERE store_code = '123' OR 1=1--'

The OR 1=1 part makes the query always true, so it may return all rows, leaking sensitive information.

Worse, with stacked queries (if DB allows)

GET /jeewms/graphReportController.do?datagridGraph&store_code=';DROP TABLE users;--

This can lead to complete data loss.

Is There a Public Exploit?

Yes – the exploit has already been disclosed to the public, making unpatched systems especially vulnerable. For reference, see Exploit DB Listing (search for CVE-2025-0392 as new entries are published).

Official References

- NVD Entry for CVE-2025-0392
- Vendor Security Bulletin (if/when available)

How to Fix: Upgrade ASAP

The vendor has released version 20250101, which fixes the issue by properly sanitizing user input and using prepared statements.

Backup your data

2. Download Jeewms 20250101 from Official Link

Recommended: Patch, Protect, and Audit

1. Patch: Upgrade to Jeewms version 20250101 or higher.

2. Protect:

Disable internet exposure if possible until patched.

3. Audit: Check your logs for suspicious queries or access around datagridGraph.

Conclusion

CVE-2025-0392 is a critical SQL Injection vulnerability in Jeewms’s reporting feature. If you run any version up to 20241229, upgrade ASAP to 20250101. This issue allows remote attackers to take over your database, leak or destroy sensitive information, and possibly gain further access.

> Do not delay: Patch your system, and review your security basics. If you need further help, contact your IT team or the vendor’s support right away.


Stay safe!
For more updates on security, bookmark your vendor’s security advisories and follow official channels.


*Note: This post is for educational and defensive security use. Prevent, don’t exploit!*

Timeline

Published on: 01/11/2025 11:15:06 UTC