CVE-2025-4738

| EUVD-2025-18686 CRITICAL
2025-06-19 [email protected]
SQLi
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:54 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
patch_available
Apr 16, 2026 - 05:29 EUVD
1.170
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18686
CVE Published
Jun 19, 2025 - 13:15 nvd
CRITICAL 9.8

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yirmibes Software MY ERP allows SQL Injection.This issue affects MY ERP: before 1.170.

AnalysisAI

Critical SQL Injection vulnerability in Yirmibes Software MY ERP versions before 1.170 that allows unauthenticated remote attackers to execute arbitrary SQL commands with complete compromise of data confidentiality, integrity, and availability. The vulnerability has a maximum CVSS score of 9.8 (Critical) with zero authentication or user interaction required, making it immediately exploitable over the network. Without access to current KEV/CISA inclusion data or EPSS scores, the high CVSS vector combined with the trivial attack complexity (AC:L) and network accessibility (AV:N) strongly indicates this represents a severe, actively exploitable threat requiring immediate patching.

Technical ContextAI

The vulnerability exists in the MY ERP application layer where user-supplied input is improperly neutralized before being incorporated into SQL queries (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). This is a classic SQL Injection flaw where special SQL metacharacters (single quotes, semicolons, comments, UNION operators, etc.) are not properly escaped, quoted, or parameterized. The affected product is Yirmibes Software MY ERP (CPE likely: cpe:2.3:a:yirmibes:my_erp:*:*:*:*:*:*:*:* with versions <1.170). The root cause stems from concatenating user input directly into SQL query strings rather than using prepared statements/parameterized queries, a well-documented anti-pattern in database programming.

RemediationAI

Upgrade MY ERP to version 1.170 or later immediately; priority: CRITICAL; details: The vendor has released a patched version 1.170 that addresses this SQL Injection vulnerability. Deployment should be prioritized above all non-critical system activities. Interim Mitigation (if patching is delayed): Implement Web Application Firewall (WAF) rules; details: Deploy WAF signatures to detect and block common SQL Injection patterns (e.g., UNION SELECT, OR 1=1, SLEEP, BENCHMARK, stacked queries). This is a temporary measure only and does not replace patching. Interim Mitigation: Network-level access controls; details: Restrict network access to MY ERP application to trusted IP ranges and VPNs. Disable direct internet exposure if operationally feasible. Detection: Monitor database and application logs; details: Search for suspicious SQL patterns in query logs, unusual database errors (syntax errors, permission denied), and abnormal database activity. Implement alerting for SQL syntax anomalies. Incident Response: Assume breach and investigate; details: If systems have been exposed during this CVE's public disclosure period, conduct forensic analysis of database access logs from version <1.170 instances to identify unauthorized SQL execution.

Share

CVE-2025-4738 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy