CVE-2022-4984

High PUBLISHED

ZenTao Biz < 6.5, Max < 3.0, & Open Source Edition 16.5/16.5beta1 SQL Injection via user-login.html

Qingdao Esoft Tianchuang Network Technology Co., Ltd. · ZenTao Biz, ZenTao Max, ZenTao Open Source Edition

Not yet in CISA KEV

Exploited in the wild

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
8.7 High

At a Glance

ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html before using it in a database query. A remote unauthenticated attacker can exploit this issue to execute crafted SQL expressions and retrieve sensitive information from the backend database, including user and application data. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.

CVE Published
Nov 13, 2025
Exploitation Reported
Jan 24, 2026
CVSS
8.7 High
EPSS
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Qingdao Esoft Tianchuang Network Technology Co., Ltd.
ZenTao Biz

0 to < 6.5

Affected
Qingdao Esoft Tianchuang Network Technology Co., Ltd.
ZenTao Max

0 to < 3.0

Affected
Qingdao Esoft Tianchuang Network Technology Co., Ltd.
ZenTao Open Source Edition

0 to < 16.5

Affected
Qingdao Esoft Tianchuang Network Technology Co., Ltd.
ZenTao Open Source Edition

0 to < 16.5.beta1

Affected

CVE References

  • Patch — zentao.pm zentao.pm · Patch https://www.zentao.pm/download/zentao-community-edition-release-65-11...
  • Patch — zentao.pm zentao.pm · Patch https://www.zentao.pm/download/zentao-community-edition-release-30-11...
  • Patch — zentao.pm zentao.pm · Patch https://www.zentao.pm/download/zentao-community-edition-release-165-1...
  • Patch — zentao.pm zentao.pm · Patch https://www.zentao.pm/download/zentao-community-edition-release-1651-...
  • Third-Party Advisory — vulncheck.com vulncheck.com · Third-Party Advisory https://www.vulncheck.com/advisories/zentao-biz-max-and-open-source-e...
Show 1 more reference

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.