CVE-2025-14696

Shenzhen Sixun Software Sixun Shanghui Group Business Management System UpdatePasswordBatch password recovery

CVSS 6.9 MEDIUMEPSS 0.3%CWE-640

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.9EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

15 dic 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A vulnerability was identified in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this vulnerability is an unknown functionality of the file /api/GylOperator/UpdatePasswordBatch. The manipulation leads to weak password recovery. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Productos afectados

Shenzhen Sixun Software · Sixun Shanghui Group Business Management System

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/1 https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/1#issue-3688839620 https://vuldb.com/?ctiid.336414 https://vuldb.com/?id.336414 https://vuldb.com/?submit.705601