CVE-2025-8773

Vulnerability

Analysis

The vulnerability resides in the Dinstar (also referred to as Zhejiang Dahua Technology) monitoring platform version 1.0, specifically the file /itc/$%7BappPath%7D/login_getPasswordErrorNum.action. The manipulation of the userBean.loginName parameter in an HTTP GET request permits SQL injection. The CVE description and accompanying proof-of-concept (PoC) confirm that the attack can be performed remotely without requiring authentication [1].

Exploitation

Vector

An attacker can exploit this flaw by sending a crafted HTTP GET request to the vulnerable endpoint with malicious input in the userBean.loginName parameter. The PoC demonstrates a simple test using an asterisk (*) to trigger injection behavior, and the provided sqlmap command shows how an attacker could automate exploitation to discover database details or elevate privileges. The request does not require any session or authentication, as it targets the login error counting functionality [1].

Impact

Successful exploitation could allow an attacker to extract sensitive information from the underlying database, including user credentials, system configuration, or other monitored data. The advisory notes that attackers can potentially gain server-level privileges, which would lead to full compromise of the monitoring platform and possibly the hosts it monitors [1].

Mitigation

Status

The vendor was contacted early about this disclosure but did not respond. No official patch or advisory has been released as of the publication date. Users of this platform should consider mitigating the risk by restricting network access to the affected endpoint, applying virtual patching via a web application firewall, or isolating the system until a fix becomes available [1].