CVE-2025-11629 identifies a SQL injection vulnerability in the RainyGao DocSys product, affecting all versions up to 2.02.36. The vulnerability resides in the getUserList function within the /Manage/getUserList.do endpoint. This function improperly sanitizes user input, allowing an attacker to inject malicious SQL commands remotely without requiring user interaction or elevated privileges beyond low-level access. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L) and no authentication required (AT:N), though the attacker must have low privileges (PR:L). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), indicating partial compromise is possible. The vendor was notified but has not issued a patch or response, increasing the risk of exploitation. No known exploits are currently active in the wild, but public disclosure means attackers could develop exploits. The vulnerability affects a wide range of versions, suggesting many deployments remain vulnerable. The lack of patches and vendor engagement necessitates proactive defensive measures. The CVSS 4.0 score of 5.3 reflects a medium severity, balancing ease of exploitation with limited but meaningful impact on system security.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive user data, modification or deletion of database records, and potential disruption of document management services. This could result in data breaches violating GDPR requirements, reputational damage, and operational downtime. Attackers could leverage the vulnerability to escalate privileges or pivot within the network, increasing the risk of broader compromise. Organizations relying on RainyGao DocSys for critical document workflows may face interruptions affecting business continuity. The lack of vendor response and patches heightens the urgency for organizations to implement compensating controls. Additionally, regulatory scrutiny in Europe could lead to fines if data protection is compromised. The medium severity suggests the impact is significant but not catastrophic, yet the ease of remote exploitation without user interaction makes it a credible threat vector.

Organizations should immediately audit their use of RainyGao DocSys and identify affected versions. Since no official patches are available, implement the following mitigations: 1) Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting /Manage/getUserList.do. 2) Restrict network access to the DocSys management interface to trusted IP ranges via firewall rules or VPNs. 3) Conduct code reviews or apply manual input validation and parameterized queries if source code access is possible. 4) Monitor logs for suspicious query patterns or unusual database errors indicative of injection attempts. 5) Isolate the DocSys server from other critical infrastructure to limit lateral movement. 6) Prepare incident response plans for potential exploitation scenarios. 7) Engage with the vendor or community for updates and consider alternative document management solutions if remediation is delayed. 8) Regularly back up databases and test restoration procedures to mitigate data loss risks.