CVE-2025-8806 is a SQL Injection vulnerability identified in version 1.0.0 of the ADP Application Developer Platform (应用开发者平台) developed by zhilink 智互联(深圳)科技有限公司. The vulnerability resides in an unspecified component of the file located at /adpweb/a/sys/office/treeData, where the extId parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without requiring user interaction or authentication, enabling attackers to manipulate backend database queries. The vulnerability has been publicly disclosed, and although the vendor was notified early, no response or patch has been provided. The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with attack vector as network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as indicated by the CVSS vector components (VC:L, VI:L, VA:L). The exploitability is facilitated by the lack of authentication and user interaction requirements, but the partial impact on data and system integrity reduces the overall severity. No known exploits are currently reported in the wild. This vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt application functionality, depending on the database permissions and application logic tied to the vulnerable parameter.

For European organizations using the ADP Application Developer Platform by zhilink, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive data stored in backend databases, potentially exposing personal or business-critical information. Integrity of data could be compromised, leading to data tampering or corruption, which may affect business operations or compliance with data protection regulations such as GDPR. Availability impacts are possible but likely limited to the affected application components. Given the vendor's lack of response and absence of patches, organizations face increased exposure. If the platform is integrated into critical business processes or handles sensitive data, the risk escalates. Additionally, the remote and unauthenticated nature of the attack vector increases the likelihood of exploitation attempts. European entities relying on this platform for application development or deployment should be aware of potential data breaches, operational disruptions, and regulatory consequences stemming from this vulnerability.

Since no official patch is available, European organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on the extId parameter at the application or web server level, using web application firewalls (WAFs) configured to detect and block SQL injection patterns targeting this endpoint. Network segmentation and access controls should limit exposure of the vulnerable service to trusted internal networks only. Monitoring and logging of database queries and application logs should be enhanced to detect anomalous activities indicative of SQL injection attempts. Organizations should consider deploying runtime application self-protection (RASP) solutions to provide real-time defense. If feasible, temporarily disabling or restricting access to the vulnerable /adpweb/a/sys/office/treeData endpoint until a patch or vendor guidance is available can reduce risk. Regular backups of databases and application data are essential to enable recovery in case of compromise. Finally, organizations should maintain close communication with the vendor for updates and consider alternative platforms if the vendor remains unresponsive.