CVE-2025-46579

HIGH

ZTE ZXCloud GoldenDB >=6.1.03 <6.1.03.11 - DDE Injection via File Download Interface

Title source: llm

Description

There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed.

References (1)

Core 1

Core References

Vendor Advisory

https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1036467615091601474

Scores

CVSS v3 8.4

EPSS 0.0017

EPSS Percentile 37.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

zte/zxcloud_goldendb 7.2.01.01 (2 CPE variants)

zte/zxcloud_goldendb 6.1.03 - 6.1.03.11

Published Apr 27, 2025

Tracked Since Feb 18, 2026