> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Kingsoft Endpoint Security (formerly Kingsoft Security) is a widely used enterprise security suite for malware defense, endpoint protection, and network security.
Recently, the vendor pushed a new version that silently fixes a critical SQL injection vulnerability. After our analysis, we confirmed that the bug can be chained into file write + remote code execution (RCE).
Because this is an endpoint protection product β often deployed across sensitive enterprise environments β we strongly recommend updating as soon as possible.
Vulnerability Overview
The flaw comes from unsanitized user input directly concatenated into SQL queries, leading to a classic SQL injection vector.
With the right payload, attackers could escalate the injection into arbitrary file write, which in turn enables remote code execution on affected systems.
Detection Tools
Weβve released both remote and local detection tools to help defenders quickly verify if their assets are affected.
X-POC Remote Scanner
xpoc -r 411 -t https://target.example
Download here:
CloudWalker Local Scanner
Run directly on the host:
zdv9_sqli_ct_926575_scanner_windows_amd64.exe
Download here:
Affected Versions
- Kingsoft Endpoint Security < V9.SP1.E1008
Mitigation & Fix
Permanent Fix
The vendor has shipped a patched release. Update immediately:
π https://www.ejinshan.net/lywz/index
Temporary Workarounds
- Restrict access with ACLs (only trusted IP ranges).
- Do not expose the web management console directly to the internet.
- Enforce strict access controls from internal networks only.
Product Support Matrix
- YunTu β Fingerprint-based detection + PoC validation supported.
- DongJian β Will support via custom POC.
- SafeLine WAF β Virtual patch already published to block exploitation attempts.
- QuanXi β Rule update package released.
- CloudWalker β Users on platform β₯ 23.05.001 can download the emergency vuln pack (EMERVULN-23.10.017). Other versions, contact support.
Timeline
- Oct 17 β Vulnerability details surface publicly
- Oct 18 β Chaitin Emergency Response Lab confirms + reproduces
- Oct 18 β Official advisory published
References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)