CVE-2025-29085

CRITICAL EXPLOITED NUCLEI

Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component

Title source: nuclei

Exploitation Summary

CVE-2025-29085 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

Nuclei Templates (1)

Vipshop Saturn Console <= 3.5.1 - SQL Injection via ClusterKey Component

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (1)

Core 1

Core References

Various Sources

https://gist.github.com/Cafe-Tea/bcef0d7a2bdb5ec8e0d69de852fdc900

Scores

CVSS v3 9.8

EPSS 0.2724

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-06-09

CWE

CWE-89

Status published

Products (1)

com.vip.saturn/saturn-console 0Maven

Published Apr 02, 2025

Tracked Since Feb 18, 2026