CVE-2025-8806 is a SQL Injection vulnerability identified in version 1.0.0 of the ADP Application Developer Platform (应用开发者平台) developed by zhilink 智互联(深圳)科技有限公司. The vulnerability exists in an unspecified component of the web application, specifically within the /adpweb/a/sys/office/treeData endpoint. The issue arises due to improper sanitization or validation of the 'extId' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database, potentially leading to unauthorized data access, data modification, or disruption of service. The vulnerability has been publicly disclosed, and although no known exploits are currently observed in the wild, the availability of the exploit code increases the risk of exploitation. The vendor was notified but has not responded or provided a patch, leaving the vulnerability unmitigated. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with a vector showing network attack vector, low attack complexity, no authentication required, and no user interaction needed. The impact on confidentiality, integrity, and availability is rated low, suggesting limited but non-negligible damage potential if exploited. Given the nature of SQL injection, attackers could leverage this flaw to extract sensitive information, alter data, or disrupt application functionality, depending on the database privileges of the application. The lack of vendor response and patch availability increases the urgency for affected organizations to implement compensating controls.

For European organizations using the zhilink ADP Application Developer Platform, this vulnerability poses a risk of unauthorized data exposure and potential data integrity compromise. Since the platform is an application development environment, exploitation could allow attackers to access or manipulate development data, intellectual property, or sensitive configuration information. This could lead to downstream impacts on applications developed using the platform, including insertion of malicious code or backdoors. The remote and unauthenticated nature of the attack vector increases the risk of widespread exploitation if the platform is internet-facing or accessible from untrusted networks. Additionally, the absence of a vendor patch means organizations must rely on internal mitigations, increasing operational burden. The medium severity rating suggests that while the impact is not catastrophic, it could still result in significant business disruption, regulatory non-compliance (e.g., GDPR violations if personal data is exposed), and reputational damage. European entities in sectors with high data sensitivity such as finance, healthcare, and government could be particularly affected if they utilize this platform or its components.

Given the lack of an official patch, European organizations should take immediate steps to mitigate the risk: 1) Implement strict input validation and sanitization on the 'extId' parameter at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads. 2) Restrict network access to the ADP platform, limiting exposure to trusted internal networks only, and block access from untrusted or public internet sources. 3) Conduct thorough code reviews and penetration testing on the platform to identify and remediate any additional injection points. 4) Monitor database logs and application logs for suspicious queries or anomalies indicative of exploitation attempts. 5) Employ database least privilege principles to minimize the impact of any successful injection by limiting the database user permissions used by the application. 6) If feasible, consider isolating or decommissioning the vulnerable version until a vendor patch or update is available. 7) Stay alert for any vendor updates or community patches and apply them promptly once released.