jizhicms SQLi deletes data (CVE-2025-70397)

Vendor-confirmed - CVE-2025-70397 is a high SQL injection bug in jizhicms version 2.5.6 that lets an attacker read, modify, or delete the entire application database. Apply the official patch to prevent data theft or server takeover.

Overview

A critical security vulnerability has been identified in jizhicms version 2.5.6. This vulnerability allows for SQL Injection, a technique where an attacker can interfere with the queries an application makes to its database. Specifically, it exists within the Article/deleteAll and Extmolds/deleteAll functions due to insufficient validation of user-supplied input in the data parameter.

Vulnerability Details

In simple terms, this vulnerability exists because the system does not properly check or “sanitize” data sent by users before using it to construct database commands. The affected functions are designed to delete multiple items at once. By sending a specially crafted malicious payload in the data parameter, an attacker can trick the system into executing unintended SQL commands on the underlying database.

This could allow an attacker to read, modify, or delete sensitive data stored in the database, including user information, administrative credentials, or article content. In the worst case, with sufficient database permissions, an attacker could potentially gain full control over the database server.

Potential Impact

The impact of this vulnerability is severe and is rated as HIGH (CVSS: 8.8). Successful exploitation could lead to:

• Data Breach: Unauthorized access to and theft of all data within the application’s database.
• Data Manipulation or Destruction: Alteration or permanent deletion of website content, user accounts, and configuration settings.
• System Compromise: A foothold for further attacks within the network, potentially leading to a complete takeover of the affected server.
• Service Disruption: Deletion of critical data could render the website or application inoperable.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Remediation:

1. Upgrade or Patch: Contact the jizhicms vendor or development team for an official patch or updated version that addresses this vulnerability. Apply the update to all affected installations immediately.
2. Input Validation and Parameterized Queries: The permanent fix involves modifying the code in the deleteAll functions to use parameterized queries (prepared statements). This ensures user input is treated strictly as data, not as part of the executable SQL command.

Temporary Mitigations (if immediate patching is not possible):

• Web Application Firewall (WAF): Deploy or configure a WAF with rules designed to block SQL injection patterns. This can help prevent exploitation attempts.
• Access Controls: Review and minimize the number of users with privileges to access the Article and Extmolds management functions.
• Network Segmentation: Ensure the database server is not directly accessible from the public internet and is placed behind appropriate network controls.

General Recommendation: Always follow the principle of least privilege for database accounts used by your applications and maintain a regular schedule for applying security updates to all software components.