Is there a public PoC exploit available for CVE-2025-8162?

Yes, a public proof-of-concept exploit is available for CVE-2025-8162. Prioritise patching immediately. EPSS: 0.1%.

Deer WMS 2 CVE-2025-8162

Q: What is the CVSS score of CVE-2025-8162?

CVE-2025-8162 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-25 cna@vuldb.com

SQLi Deer Wms 2

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:48 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as critical, has been found in deerwms deer-wms-2 up to 3.3. Affected by this issue is some unknown functionality of the file /system/dept/list. The manipulation of the argument params[dataScope] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/dept/list endpoint. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a 2.1 score reflecting low impact across confidentiality, integrity, and availability. Publicly available exploit code exists; however, EPSS scoring at 0.07% (22nd percentile) suggests minimal real-world exploitation likelihood compared to the authorization requirement and limited information disclosure scope.

Technical ContextAI

The vulnerability exists in Deer WMS 2, an open-source warehouse management system, specifically in the department list endpoint. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, typically SQL injection) indicates insufficient input validation on the dataScope parameter before it is incorporated into SQL queries. The affected endpoint /system/dept/list processes user-supplied parameters without proper parameterized query handling or input sanitization, allowing SQL metacharacters to alter query logic. CPE data confirms the vulnerability spans Deer WMS 2 versions up to and including 3.3.

RemediationAI

Upgrade Deer WMS 2 to a version beyond 3.3 when available from the upstream project repository (https://gitee.com/deerwms/deer-wms-2). Until patched, implement input validation on the params[dataScope] parameter by enforcing a whitelist of allowed values and using parameterized/prepared SQL statements in the /system/dept/list endpoint implementation. Additionally, restrict administrative access to the /system/dept/list endpoint via network controls or authentication strengthening to limit exposure to authenticated users only. Monitor access logs for SQL syntax characters (single quotes, semicolons, SQL keywords) in dataScope parameter values to detect exploitation attempts. Review the GitHub issue (https://gitee.com/deerwms/deer-wms-2/issues/ICLQKV) for vendor guidance on patch availability and deployment timeline.

CVE-2025-8162 vulnerability details – vuln.today

Back