CVE-2023-27167 is a SQL injection vulnerability identified in Suprema BioStar 2 version 2.8.16, a widely used access control and security management platform. The vulnerability exists in the /users/absence endpoint, specifically via the 'values' parameter when a request is made with the 'search_month=1' query. SQL injection (CWE-89) vulnerabilities allow an attacker to manipulate backend SQL queries by injecting malicious input, potentially leading to unauthorized data access or manipulation. In this case, the vulnerability allows an attacker with network access to the application and with at least low privileges (PR:L) to send crafted requests that could expose sensitive information from the database. The CVSS 3.1 base score is 6.5 (medium severity), reflecting that the attack vector is network-based (AV:N), requires low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. Given the nature of BioStar 2 as a security management platform, unauthorized data disclosure could include sensitive personnel or access logs, which could be leveraged for further attacks or espionage. The vulnerability does not require user interaction but does require some level of authentication, limiting exposure somewhat but still posing a significant risk if credentials are compromised or if the system is accessible within an internal network or VPN.

For European organizations, the impact of this vulnerability could be significant, especially for those relying on Suprema BioStar 2 for physical access control and security management in critical infrastructure, government facilities, or large enterprises. Unauthorized access to sensitive user absence data or other personnel information could lead to privacy violations under GDPR, resulting in regulatory fines and reputational damage. Furthermore, attackers could use the information gained to facilitate insider threats, social engineering, or lateral movement within networks. The confidentiality breach could expose employee schedules, access patterns, or other sensitive operational details. Although the vulnerability does not directly affect system integrity or availability, the indirect consequences of data leakage and potential follow-on attacks could disrupt business operations and compromise physical security. Organizations in sectors such as finance, healthcare, manufacturing, and public administration in Europe are particularly at risk due to their reliance on secure access control systems and strict data protection requirements.

To mitigate this vulnerability, European organizations should first verify if they are running Suprema BioStar 2 version 2.8.16 or earlier. Immediate steps include restricting network access to the BioStar 2 management interface to trusted IP addresses and segments, ideally isolating it within a secure VLAN or behind a VPN with strong authentication. Implement strict access controls and monitor logs for unusual queries or access patterns targeting the /users/absence endpoint. Since no official patch is currently linked, organizations should contact Suprema support for guidance and apply any available updates promptly once released. Additionally, employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts on the affected endpoint can provide a temporary protective layer. Regularly auditing user privileges to ensure minimal necessary access reduces the risk of exploitation by low-privilege attackers. Finally, organizations should conduct penetration testing and vulnerability scanning focused on SQL injection vectors to identify and remediate similar issues proactively.