CVE-2022-45165 is a medium-severity SQL injection vulnerability identified in Archibus Web Central version 2022.03.01.107. Archibus Web Central is a widely used integrated workplace management system (IWMS) that organizations deploy to manage real estate, infrastructure, and facilities. The vulnerability arises because a service within the application accepts a user-controlled parameter that is directly incorporated into an SQL query without proper sanitization or parameterization. This lack of input validation allows an attacker with low privileges to inject malicious SQL code into the query. The CVSS 3.1 vector (CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:L/S:U/UI:N) indicates that the attack can be performed remotely over the network without user interaction, requires low privileges, and impacts confidentiality with a high impact, but does not affect integrity or availability. Exploiting this vulnerability could allow an attacker to extract sensitive data from the backend database, such as credentials, personal information, or proprietary business data, without altering or destroying data. Although no known exploits are currently reported in the wild, the vulnerability's nature and the criticality of the data managed by Archibus make it a significant risk. The absence of a vendor-provided patch link suggests that remediation may require custom mitigations or vendor engagement. The underlying weakness corresponds to CWE-89, a common and well-understood SQL injection flaw, emphasizing the importance of secure coding practices such as prepared statements and input validation.

For European organizations using Archibus Web Central, this vulnerability poses a substantial risk to the confidentiality of sensitive corporate and personal data managed within the platform. Facilities and real estate management data often include employee information, building access controls, and financial records, which if exposed, could lead to privacy violations under GDPR and other data protection regulations. A successful attack could result in unauthorized data disclosure, reputational damage, regulatory fines, and potential operational disruptions if sensitive information is leveraged for further attacks. Given the remote exploitability and lack of required user interaction, attackers could automate exploitation attempts, increasing the risk of widespread compromise. The medium CVSS score reflects the limited scope to confidentiality impact only, but the critical nature of the data involved elevates the practical severity for affected organizations. Furthermore, the requirement for low privileges means that even compromised or less-privileged internal accounts could be leveraged to exploit the vulnerability, increasing the attack surface.

European organizations should prioritize the following mitigation steps: 1) Engage with the Archibus vendor or support channels to confirm the availability of official patches or updates addressing CVE-2022-45165 and apply them promptly. 2) If patches are unavailable, implement immediate compensating controls such as web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable service. 3) Conduct a thorough code review and refactor the affected service to use parameterized queries or prepared statements, eliminating direct concatenation of user input into SQL commands. 4) Restrict access to the vulnerable service to trusted internal networks or authenticated users with the minimum necessary privileges to reduce exposure. 5) Monitor logs and network traffic for anomalous SQL queries or repeated failed attempts indicative of exploitation attempts. 6) Perform regular security assessments and penetration tests focusing on SQL injection vectors within Archibus deployments. 7) Educate developers and administrators on secure coding and configuration practices to prevent similar vulnerabilities. These targeted actions go beyond generic advice by focusing on vendor engagement, code remediation, network-level protections, and proactive detection tailored to the specific vulnerability context.