CVE-2025-8808 is a CSV Injection vulnerability identified in the xujeff tianti 天梯 software, specifically affecting versions up to 2.3. The vulnerability resides in the exportOrder function located in the /tianti-module-admin/user/ajax/save file within the com.jeff.tianti.controller component. CSV Injection occurs when untrusted input is embedded into CSV files without proper sanitization, allowing an attacker to inject malicious formulas or commands that can execute when the CSV is opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc. This vulnerability can be exploited remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The attack complexity is low, and the impact primarily affects data integrity and potentially confidentiality if malicious formulas execute commands or exfiltrate data. The vendor was notified but did not respond, and no patches have been released yet. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. The CVSS 4.0 score of 5.3 categorizes this as a medium severity issue. The vulnerability's scope is limited to the exportOrder function, but given the nature of CSV Injection, it can lead to significant downstream impacts if malicious CSV files are opened by end users. The vulnerability does not affect availability but poses risks to integrity and confidentiality through formula injection and potential command execution in spreadsheet environments.

For European organizations using xujeff tianti 天梯 up to version 2.3, this vulnerability poses a moderate risk. Attackers can craft malicious CSV exports that, when opened by employees or administrators, could execute arbitrary commands or scripts within spreadsheet applications, potentially leading to data leakage, unauthorized data manipulation, or further compromise of internal systems. This is particularly concerning for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, or government agencies, where data integrity and confidentiality are paramount. The remote exploitation capability without user interaction or authentication increases the threat surface, especially in environments where exported CSV files are shared or processed automatically. Although the vulnerability does not directly disrupt system availability, the indirect effects of compromised data or lateral movement within networks could result in operational disruptions or compliance violations under regulations like GDPR. The lack of vendor response and absence of patches heighten the urgency for European organizations to implement mitigations proactively.

1. Immediate mitigation should involve sanitizing all CSV exports by escaping or removing characters that can trigger formula execution in spreadsheet software, such as '=', '+', '-', and '@' at the beginning of fields. 2. Implement input validation and output encoding within the exportOrder function to prevent injection of malicious formulas. 3. Restrict access to the exportOrder functionality to trusted and authenticated users with minimal privileges to reduce exploitation risk. 4. Educate users to open CSV files in safe modes or use spreadsheet applications that disable automatic formula execution. 5. Monitor logs for unusual export activities or anomalies in CSV content. 6. If possible, replace or upgrade the affected software to a version without this vulnerability once available. 7. Employ network segmentation and data loss prevention (DLP) tools to detect and block suspicious CSV files before they reach end users. 8. Consider implementing application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the exportOrder endpoint.