CVE-2025-8702 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the Wanzhou WOES Intelligent Optimization Energy Saving System, specifically within the Historical Data Query Module. The vulnerability arises from improper sanitization of the 'ObjectID' parameter in the /CommonSolution/GetVariableByOneIDNew endpoint. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability does not require user interaction or authentication, making it remotely exploitable over the network with low attack complexity. However, the impact on confidentiality, integrity, and availability is rated low, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/PR:L/VC:L/VI:L/VA:L). This suggests that while some data exposure or alteration is possible, the scope and severity of damage are limited. No known exploits are currently observed in the wild, and no patches have been published yet. The vulnerability disclosure date is August 7, 2025.

For European organizations using the Wanzhou WOES Intelligent Optimization Energy Saving System, this vulnerability poses a risk of unauthorized data access or manipulation within energy management systems. Since these systems often control or monitor critical energy consumption and optimization processes, exploitation could lead to inaccurate data reporting, potential disruption of energy-saving operations, or leakage of sensitive operational data. Although the CVSS score indicates a medium severity with limited impact, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement. This is particularly concerning for industrial facilities, smart buildings, or energy providers relying on this system. The lack of authentication requirement increases the risk of remote exploitation, potentially affecting availability and operational integrity. However, the absence of known exploits in the wild and the limited scope of the affected component somewhat mitigate immediate widespread impact.

Organizations should immediately audit their deployment of the Wanzhou WOES Intelligent Optimization Energy Saving System to identify any instances of version 1.0 in use. Until an official patch is released, it is critical to implement strict network-level access controls restricting inbound traffic to the affected endpoint (/CommonSolution/GetVariableByOneIDNew). Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the ObjectID parameter can provide temporary protection. Additionally, monitoring logs for unusual query patterns or unexpected database errors can help detect exploitation attempts early. It is advisable to engage with the vendor for timely patch updates and to plan for an upgrade once a fix is available. As a longer-term measure, organizations should enforce secure coding practices and input validation for all parameters in web-facing applications to prevent similar vulnerabilities.