CVE-2025-9977
MEDIUMTimes Software E-Payroll - Unauthenticated DoS & SQL Injection
Title source: llmDescription
Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure. Patching status is unknown because the vendor has not replied to messages sent by the CNA.
References (2)
Core 2
Core References
Various Sources third-party-advisory
https://cert.pl/en/posts/2025/11/CVE-2025-9977
Various Sources product
https://www.timesoftsg.com.sg/payroll-software/
Scores
CVSS v4
5.3
EPSS
0.0200
EPSS Percentile
78.1%
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-209
CWE-89
Status
published
Products (1)
Times Software/E-Payroll
< 20250121.0
Published
Nov 18, 2025
Tracked Since
Feb 18, 2026