Is there a public PoC exploit available for CVE-2025-8127?

Yes, a public proof-of-concept exploit is available for CVE-2025-8127. Prioritise patching immediately. EPSS: 0.1%.

Deer WMS 2 CVE-2025-8127

Q: What is the CVSS score of CVE-2025-8127?

CVE-2025-8127 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-25 cna@vuldb.com

SQLi Deer Wms 2

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:47 vuln.today

DescriptionCVE.org

A vulnerability classified as critical was found in deerwms deer-wms-2 up to 3.3. This vulnerability affects unknown code of the file /system/user/list. The manipulation of the argument params[dataScope] leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/user/list endpoint, leading to arbitrary SQL query execution with limited information disclosure impact. The CVSS v4.0 score of 2.1 reflects low severity due to required authentication and constrained impact (confidentiality, integrity, and availability all rated low), though publicly available exploit code exists and the vulnerability has been disclosed.

Technical ContextAI

The vulnerability stems from improper input validation on the 'dataScope' parameter passed to the /system/user/list file in Deer WMS 2, classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, 'Injection'). This is a classic SQL injection flaw where user-supplied input is concatenated into SQL queries without parameterized preparation or sanitization. The affected product is identified by CPE cpe:2.3:a:deerwms:deer-wms-2, indicating the Deer WMS 2 application from the deerwms vendor. The attack vector is network-based, but exploitation requires authenticated access (PR:L in CVSS v4.0), meaning the attacker must first obtain valid user credentials or session access to the application.

RemediationAI

Upgrade Deer WMS 2 to a version released after 3.3; however, the exact patched version is not confirmed in the provided advisory data. Review the official Deer WMS 2 project repository (https://gitee.com/deerwms/deer-wms-2) for available updates and release notes. As an immediate compensating control, restrict access to the /system/user/list endpoint to trusted IP addresses or internal networks only, and enforce strict role-based access control (RBAC) to limit which authenticated users can access user listing functionality. Review application logs for suspicious queries to the user list endpoint (e.g., unusual parameter values in dataScope). Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns in the dataScope parameter (e.g., strings containing SQL keywords, wildcards, or quote characters). These controls mitigate exploitation risk while a vendor patch is obtained and tested. Note that the low CVSS and EPSS scores mean this can be patched during normal maintenance windows rather than emergency deployment.

CVE-2025-8127 vulnerability details – vuln.today

Back