CVE-2025-8705 is a SQL Injection vulnerability identified in version 1.0 of the Wanzhou WOES Intelligent Optimization Energy Saving System, specifically within the Energy Overview Module's /WEAS_HomePage/GetTargetConfig endpoint. The vulnerability arises from improper sanitization of the BP_ProID parameter, which allows an attacker to inject malicious SQL code remotely without requiring user interaction or authentication. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or disruption of service. Although the CVSS 4.0 base score is rated medium (5.3), the vulnerability's remote exploitability and the critical nature of energy management systems elevate its significance. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known active exploitation has been reported yet. The vulnerability does not require privileges or user interaction, which simplifies exploitation. The lack of available patches or mitigation links at this time further exacerbates the risk for affected deployments.

For European organizations, particularly those involved in energy management, utilities, or industrial automation, this vulnerability poses a significant risk. The WOES system is designed for intelligent energy optimization, meaning compromised systems could lead to unauthorized access to sensitive operational data, manipulation of energy consumption parameters, or disruption of energy-saving functions. Such impacts could result in financial losses, regulatory non-compliance, and operational downtime. Additionally, attackers could leverage this vulnerability as a foothold to pivot into broader network segments, potentially affecting critical infrastructure. Given the increasing emphasis on energy efficiency and smart grid technologies across Europe, exploitation could undermine trust in energy management solutions and impact national energy security strategies.

Organizations using Wanzhou WOES Intelligent Optimization Energy Saving System 1.0 should immediately conduct a thorough security assessment of their deployments. Specific mitigation steps include: 1) Implementing strict input validation and parameter sanitization at the application level to prevent SQL injection; 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the BP_ProID parameter; 3) Restricting network access to the affected endpoint to trusted internal networks only; 4) Monitoring logs for unusual query patterns or access attempts to /WEAS_HomePage/GetTargetConfig; 5) Engaging with the vendor for patches or updates and applying them promptly once available; 6) Considering temporary isolation or disabling of the vulnerable module if feasible until a fix is deployed; 7) Conducting regular database integrity checks to detect unauthorized changes; and 8) Enhancing overall network segmentation to limit lateral movement in case of compromise.