Plattform
other
Komponente
my-erp
Behoben in
1.170
CVE-2025-4738 describes a SQL Injection vulnerability affecting Yirmibes Software MY ERP. This flaw allows attackers to inject malicious SQL code, potentially granting unauthorized access to sensitive data and compromising the entire system. The vulnerability impacts versions 0 through 1.170, and a patch is available in version 1.170.
Successful exploitation of CVE-2025-4738 could allow an attacker to bypass authentication mechanisms and directly manipulate the database. This could lead to the exfiltration of confidential data, including customer information, financial records, and proprietary business data. Furthermore, an attacker could potentially modify or delete data, disrupt operations, or even gain control of the underlying server. The blast radius extends to any data stored within the MY ERP database, making this a high-severity risk. While no direct precedent is immediately obvious, SQL Injection vulnerabilities are consistently among the most exploited, often leading to significant data breaches and regulatory penalties.
CVE-2025-4738 was publicly disclosed on 2025-06-19. The vulnerability's criticality (CVSS 9.8) suggests a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the ease of SQL Injection exploitation means it is likely to be targeted. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure.
Organizations heavily reliant on MY ERP for core business processes, particularly those handling sensitive customer data or financial information, are at significant risk. Companies with legacy MY ERP deployments or those lacking robust security monitoring practices are especially vulnerable.
• other / database: Use native CLI queries to check for SQL injection vulnerabilities.
-- SQL Injection test query
SELECT 'test' FROM users WHERE username = 'admin' OR '1'='1';• generic web: Check for unusual SQL errors in web application logs. Look for patterns like 'syntax error' or 'invalid column name' that might indicate an attempted SQL Injection. • generic web: Monitor access logs for requests containing suspicious characters commonly used in SQL Injection attacks (e.g., ', ", --, /*, */).
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-4738 is to immediately upgrade MY ERP to version 1.170 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within the application code. Web application firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack on a non-critical endpoint and verifying that the input is properly sanitized.
Actualice MY ERP a la versión 1.170 o superior. Esta versión contiene la corrección para la vulnerabilidad de inyección SQL. Consulte el registro de cambios de la aplicación para obtener más detalles sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-4738 is a critical SQL Injection vulnerability in MY ERP versions 0–1.170, allowing attackers to execute arbitrary SQL commands and potentially access sensitive data.
If you are using MY ERP versions 0 through 1.170, you are affected by this vulnerability. Upgrade to version 1.170 to mitigate the risk.
The recommended fix is to upgrade MY ERP to version 1.170 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
While no public exploits are currently available, the high CVSS score and ease of SQL Injection exploitation suggest a high probability of active exploitation.
Refer to the Yirmibes Software security advisories page for the official advisory regarding CVE-2025-4738.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.