Is there a public PoC exploit available for CVE-2025-8123?

Yes, a public proof-of-concept exploit is available for CVE-2025-8123. Prioritise patching immediately. EPSS: 0.1%.

Deer WMS 2 CVE-2025-8123

Q: What is the CVSS score of CVE-2025-8123?

CVE-2025-8123 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-24 cna@vuldb.com

SQLi Deer Wms 2

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:47 vuln.today

DescriptionCVE.org

A vulnerability was found in deerwms deer-wms-2 up to 3.3. It has been classified as critical. Affected is an unknown function of the file /system/dept/edit. The manipulation of the argument ancestors leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ancestors parameter in the /system/dept/edit endpoint, enabling unauthorized data exfiltration or modification. Despite a critical classification, the CVSS v4.0 score of 2.1 reflects limited confidentiality and integrity impact; publicly available exploit code exists but EPSS exploitation probability remains low at 0.07%, suggesting the vulnerability requires authenticated access and may have limited real-world adoption or attack surface.

Technical ContextAI

The vulnerability exists in Deer WMS 2's department editing functionality (/system/dept/edit) where user-supplied input in the ancestors parameter is passed unsanitized into SQL queries, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, a parent class of SQL injection). The CVE description and Gitee repository indicate insufficient input validation or parameterized query usage in the affected endpoint. CPE specification (cpe:2.3:a:deerwms:deer-wms-2:*:*:*:*:*:*:*:*) indicates all versions of the product line are potentially vulnerable up to and including version 3.3.

RemediationAI

Upgrade Deer WMS 2 to a version newer than 3.3 if a patched release is available from the vendor; check the Gitee repository at https://gitee.com/deerwms/deer-wms-2 for release notes or contact the Deer WMS development team directly. If an upgrade is not immediately available, implement authentication-based access controls to restrict access to the /system/dept/edit endpoint to trusted administrative users only, and apply web application firewall (WAF) rules to block SQL injection patterns in the ancestors parameter (e.g., blocking quotes, semicolons, or SQL keywords in that field). Monitor server logs for suspicious activity targeting the /system/dept/edit endpoint. No vendor-released patch version is independently confirmed from available references.

CVE-2025-8123 vulnerability details – vuln.today

Back