CVE-2025-46579

There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1036467615091601474	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zte:zxcloud_goldendb::::::::
	cpe:2.3:a:zte:zxcloud_goldendb:7.2.01.01:-:::-:::*
	cpe:2.3:a:zte:zxcloud_goldendb:7.2.01.01:-:::lite:::*

History

12 May 2025, 19:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-27 02:15

Updated : 2025-05-12 19:32

NVD link : CVE-2025-46579

Mitre link : CVE-2025-46579

CVE.ORG link : CVE-2025-46579

JSON object : View

Products Affected

zte

zxcloud_goldendb

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-46579", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@zte.com.cn", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-04-27T02:15:16.203", "references": [{"url": "https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1036467615091601474", "tags": ["Vendor Advisory"], "source": "psirt@zte.com.cn"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@zte.com.cn", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n DDE en la base de datos GoldenDB. Los atacantes pueden inyectar expresiones DDE a trav\u00e9s de la interfaz y, al descargar y abrir el archivo afectado, ejecutar los comandos DDE."}], "lastModified": "2025-05-12T19:32:17.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zte:zxcloud_goldendb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC9861-1D01-4503-9554-968B45CCE5AF", "versionEndExcluding": "6.1.03.11", "versionStartIncluding": "6.1.03"}, {"criteria": "cpe:2.3:a:zte:zxcloud_goldendb:7.2.01.01:-:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "DFE2AA93-8A9F-4B65-A6FB-B27F09310467"}, {"criteria": "cpe:2.3:a:zte:zxcloud_goldendb:7.2.01.01:-:*:*:lite:*:*:*", "vulnerable": true, "matchCriteriaId": "F2B3E467-C5A8-4575-93E3-5FE7838BFF2B"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@zte.com.cn"}