Exploitation Summary
CVE-2025-34038 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Nuclei Templates (1)
Fanwei e-cology - SQL Injection
HIGHby ritikchaddha
FOFA:
app="泛微-协同办公OA"
References (4)
Core 4
Core References
Exploit exploit
technical-description
https://www.cnblogs.com/0day-li/p/14637680.html
Third Party Advisory third-party-advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2021-33202
Various Sources product
https://weaver.com.co/products/ecology/
Exploit, Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/fanwei-ecology-sql-injection
Scores
CVSS v3
7.5
EPSS
0.0517
EPSS Percentile
90.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2025-06-23
CWE
CWE-89
Status
published
Products (2)
weaver/e-cology
< 8.0
Weaver/E-cology
< 8.0
Published
Jun 24, 2025
Tracked Since
Feb 18, 2026