Is there a public PoC exploit available for CVE-2025-8163?

Yes, a public proof-of-concept exploit is available for CVE-2025-8163. Prioritise patching immediately. EPSS: 0.1%.

Deer WMS 2 CVE-2025-8163

Q: What is the CVSS score of CVE-2025-8163?

CVE-2025-8163 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-25 cna@vuldb.com

SQLi Deer Wms 2

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:30 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as critical, was found in deerwms deer-wms-2 up to 3.3. This affects an unknown part of the file /system/role/list. The manipulation of the argument params[dataScope] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/list endpoint. The vulnerability has a critically low CVSS score of 2.1 due to limited scope and integrity impact, but exploitation is confirmed possible with publicly available proof-of-concept code. Real-world risk is minimal given the requirement for prior authentication and constrained data access impact.

Technical ContextAI

Deer WMS 2 is a warehouse management system built on web application architecture. The vulnerability exists in the role management functionality at the /system/role/list file handler, where user-supplied input in the params[dataScope] parameter is insufficiently sanitized before being passed to SQL query construction. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the application fails to properly escape or parameterize SQL input, allowing attackers to inject arbitrary SQL syntax. The CPE designation cpe:2.3:a:deerwms:deer-wms-2:*:*:*:*:*:*:*:* confirms all versions through at least 3.3 are affected.

RemediationAI

Upgrade Deer WMS 2 to a version newer than 3.3 as soon as patched releases become available; consult the vendor's official release notes at the Gitee repository (https://gitee.com/deerwms/deer-wms-2) for confirmed patch versions. As an immediate compensating control, restrict network access to the /system/role/list endpoint using firewall rules or Web Application Firewall (WAF) policies to only trusted internal IP ranges, reducing the attack surface to insider threats. Additionally, implement input validation and parameterized query execution at the application level if source code patches are not immediately available; audit database user permissions to ensure the application database account has minimal privilege necessary for role management operations, limiting the blast radius if SQL injection succeeds. Monitor authentication logs for unusual role management API access patterns from low-privilege accounts.

CVE-2025-8163 vulnerability details – vuln.today

Back