CVE-2024-58352: Landray OA Unauthenticated HQL Injection via wechatLoginHelper.do
Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitization in the string-concatenated filter expression passed to the Hibernate findList() call to extract sensitive data such as administrator password hashes and, with sufficient database privileges, perform file-write operations enabling remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-03-11 (UTC).
Security readout for executives and security teams
Plain-English summary
CVE-2024-58352 is an unauthenticated injection flaw in Landray OA. An external attacker may query sensitive application data without logging in. Sources describe possible exposure of administrator password hashes and potential code execution if database privileges allow file writes. This is high business urgency for any internet-accessible Landray OA deployment.
Executive priority
Prioritize within the next patch or emergency change window for any externally reachable Landray OA. The combination of no authentication, sensitive data access, public technical disclosure, and reported exploitation evidence makes delay risky, even though KEV is not currently listed.
Technical view
The flaw is HQL injection in the wechatLoginHelper.do endpoint, specifically the uid POST parameter. Unsanitized input is concatenated into a Hibernate filter expression passed to findList(), enabling arbitrary Hibernate entity queries. CVSS 4.0 score is 8.7. Public disclosures include technical details; avoid reproducing them in validation workflows.
Likely exposure
Highest exposure is Landray OA reachable from the internet or untrusted networks. The source bundle lists affected versions broadly, without a fixed version range or CPEs, so asset owners should treat Landray OA deployments as potentially affected until vendor guidance confirms otherwise.
Exploitation context
The source bundle states exploitation evidence was first observed by Shadowserver on 2024-03-11 UTC. CISA KEV status is false in the provided data. Public researcher posts and a VulnCheck advisory contain exploit-oriented technical details, increasing risk for exposed systems.
Researcher notes
Evidence supports unauthenticated HQL injection and high confidentiality impact. Version boundaries, vendor patch identifiers, and official mitigation details are not present in the provided sources. Treat exploitability beyond data extraction, including file-write based RCE, as dependent on database permissions and deployment specifics.
Mitigation direction
Check Shenzhen Landray vendor guidance for official patches or configuration mitigations.
Restrict external access to Landray OA until remediation status is confirmed.
Place OA behind VPN, allowlists, or trusted access controls where operationally feasible.
Review web application firewall rules for HQL or injection attempts targeting this endpoint.
Rotate exposed credentials if logs or indicators suggest successful data access.
Validation and detection
Inventory all Landray OA instances and confirm internet exposure.
Identify whether wechatLoginHelper.do is reachable without authentication.
Review application and web logs for suspicious POST requests to that endpoint.
Check for unusual database queries or access to administrator credential data.
Confirm installed version and remediation status with vendor documentation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-564: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-564 · source CWE mapping
SQL Injection: Hibernate
SQL Injection: Hibernate represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.