CVE-2025-13171 is a SQL injection vulnerability identified in the 2023 version of ZZCMS, a content management system. The flaw exists in the /admin/wangkan_list.php file, where the 'keyword' parameter is insufficiently sanitized, enabling attackers to inject arbitrary SQL queries remotely. This vulnerability does not require user interaction or authentication, making it accessible to unauthenticated remote attackers. The injection can lead to unauthorized data disclosure, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the backend database. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no exploits have been observed in the wild, public exploit code is available, increasing the likelihood of exploitation. The lack of patches or official fixes at the time of publication necessitates immediate mitigation efforts. The vulnerability affects all installations running ZZCMS 2023, particularly those exposing the admin interface to the internet without adequate protections.

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized access to sensitive data such as user credentials, personal information, or business-critical content. Attackers could modify or delete data, disrupting website functionality and causing data integrity issues. The availability of the CMS could be impacted if attackers perform destructive queries or cause database errors. Since the vulnerability requires no authentication, it poses a significant risk to any exposed ZZCMS 2023 installations. Organizations relying on ZZCMS for their web presence or internal portals may face data breaches, reputational damage, and operational disruptions. The presence of public exploit code increases the risk of automated attacks and widespread exploitation, especially in environments lacking proper network segmentation or input validation controls.

1. Immediately restrict access to the /admin/wangkan_list.php endpoint by IP whitelisting or VPN-only access to limit exposure. 2. Implement robust input validation and sanitization on the 'keyword' parameter to prevent injection of malicious SQL code. 3. Employ prepared statements or parameterized queries in the application code to eliminate direct concatenation of user inputs into SQL queries. 4. Monitor database logs and web server logs for unusual query patterns or repeated failed attempts targeting the vulnerable parameter. 5. If possible, deploy a Web Application Firewall (WAF) with custom rules to detect and block SQL injection attempts targeting ZZCMS. 6. Regularly back up databases and test restoration procedures to minimize impact in case of data corruption or deletion. 7. Engage with ZZCMS developers or community to obtain official patches or updates addressing this vulnerability. 8. Conduct security audits and penetration testing focused on input validation and authentication controls for administrative interfaces.