Platform
other
Component
my-erp
Fixed in
1.170
CVE-2025-4738 describes a SQL Injection vulnerability affecting Yirmibes Software MY ERP. This flaw allows attackers to inject malicious SQL code, potentially granting unauthorized access to sensitive data and compromising the entire system. The vulnerability impacts versions 0 through 1.170, and a patch is available in version 1.170.
Successful exploitation of CVE-2025-4738 could allow an attacker to bypass authentication mechanisms and directly manipulate the database. This could lead to the exfiltration of confidential data, including customer information, financial records, and proprietary business data. Furthermore, an attacker could potentially modify or delete data, disrupt operations, or even gain control of the underlying server. The blast radius extends to any data stored within the MY ERP database, making this a high-severity risk. While no direct precedent is immediately obvious, SQL Injection vulnerabilities are consistently among the most exploited, often leading to significant data breaches and regulatory penalties.
CVE-2025-4738 was publicly disclosed on 2025-06-19. The vulnerability's criticality (CVSS 9.8) suggests a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the ease of SQL Injection exploitation means it is likely to be targeted. The vulnerability has been added to the CISA KEV catalog, indicating a significant risk to US critical infrastructure.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-4738 is to immediately upgrade MY ERP to version 1.170 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within the application code. Web application firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack on a non-critical endpoint and verifying that the input is properly sanitized.
Update MY ERP to version 1.170 or higher. This version contains the fix for the SQL Injection vulnerability. See the application's changelog for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4738 is a critical SQL Injection vulnerability in MY ERP versions 0–1.170, allowing attackers to execute arbitrary SQL commands and potentially access sensitive data.
If you are using MY ERP versions 0 through 1.170, you are affected by this vulnerability. Upgrade to version 1.170 to mitigate the risk.
The recommended fix is to upgrade MY ERP to version 1.170 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
While no public exploits are currently available, the high CVSS score and ease of SQL Injection exploitation suggest a high probability of active exploitation.
Refer to the Yirmibes Software security advisories page for the official advisory regarding CVE-2025-4738.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.