Is there a public PoC exploit available for CVE-2025-8347?

Yes, a public proof-of-concept exploit is available for CVE-2025-8347. Prioritise patching immediately. EPSS: 0.0%.

Kehua Charging Pile Cloud Platform CVE-2025-8347

Q: What is the CVSS score of CVE-2025-8347?

CVE-2025-8347 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-31 cna@vuldb.com

SQLi Charging Pile Cloud Platform

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:18 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Kehua Charging Pile Cloud Platform 1.0 endpoint /sys/task/findAllTask allows authenticated remote attackers to execute arbitrary SQL queries with limited confidentiality and integrity impact. The vulnerability has a publicly available exploit and was disclosed to the vendor without response, though EPSS score of 0.04% suggests low real-world exploitation probability despite public POC availability.

Technical ContextAI

The vulnerability exists in the /sys/task/findAllTask file endpoint of the Kehua Charging Pile Cloud Platform, which fails to properly sanitize user-supplied input before incorporating it into SQL queries. This represents an Improper Neutralization of Special Elements used in an SQL Command (CWE-74) flaw, a well-understood injection attack vector. The affected product is a cloud platform serving electric vehicle charging infrastructure management, suggesting the backend likely uses a SQL database (MySQL, PostgreSQL, or similar) without parameterized query protection or input validation on this particular endpoint.

RemediationAI

No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure attempts. Organizations operating Kehua Charging Pile Cloud Platform 1.0 should contact Kehua directly to request security updates or evaluate migration to a patched version if one becomes available. As an interim compensating control, restrict network access to the /sys/task/findAllTask endpoint using a Web Application Firewall (WAF) with SQL injection pattern detection, or implement strict input validation and parameterized queries at the application level if source code access is available. Additionally, enforce the principle of least privilege by limiting user accounts with access to this endpoint to only those requiring it, and monitor database query logs for suspicious SQL patterns indicating exploitation attempts. Monitor the GitHub POC repository (https://github.com/qiantx/cve/blob/main/CVE2.md) and Kehua's official channels for security advisories.

CVE-2025-8347 vulnerability details – vuln.today

Back