CVE-2023-48645 is a high-severity SQL injection vulnerability identified in the Archibus mobile application version 4.0.3 for iOS. Archibus is a widely used integrated workplace management system (IWMS) that organizations deploy to manage real estate, infrastructure, and facilities. The vulnerability resides in the Maintenance module's search work request feature, which interacts with a local database on the device. This local database synchronizes with a central web server instance each time the app is opened or the refresh button is pressed. The SQL injection flaw allows an attacker with limited privileges and local access to the device to craft malicious input that manipulates SQL queries executed against the local database. Exploiting this vulnerability can lead to unauthorized reading, modification, or deletion of data within the local database, impacting confidentiality, integrity, and availability of stored information. The CVSS v3.1 score of 7.8 reflects the high impact and relatively low attack complexity, requiring only low privileges and no user interaction. Although the vulnerability affects the local database, the synchronization mechanism with the central server raises concerns about potential propagation of corrupted or malicious data to the central system, which could further compromise enterprise data integrity. No public exploits or patches have been reported yet, increasing the urgency for organizations to assess their exposure and implement mitigations proactively. The vulnerability is classified under CWE-89, indicating classic SQL injection issues due to improper input sanitization or parameterization in database queries.

For European organizations using Archibus 4.0.3 on iOS devices, this vulnerability poses significant risks. Facilities and real estate management data often include sensitive operational details, maintenance schedules, asset inventories, and potentially personal data of employees or contractors. Unauthorized access or manipulation of this data could disrupt maintenance workflows, cause erroneous asset management decisions, or lead to data leakage. Given the synchronization with a central server, corrupted local data might propagate, affecting enterprise-wide data integrity and availability. This could result in operational downtime, financial losses, and regulatory compliance violations, especially under GDPR if personal data is involved. The requirement for low privileges and no user interaction means that an insider threat or a compromised device could easily exploit this flaw. The lack of known public exploits currently limits immediate widespread impact, but the vulnerability’s presence in a critical enterprise app used across multiple sectors (real estate, facilities management, government institutions) in Europe elevates its threat profile.

European organizations should immediately conduct an inventory to identify iOS devices running Archibus 4.0.3. Until an official patch is released, mitigations include: 1) Restricting access to the app and its data on iOS devices through mobile device management (MDM) policies, enforcing strong authentication and device encryption. 2) Limiting synchronization to trusted networks and times to reduce exposure to tampered data. 3) Implementing input validation or filtering at the app or network level if possible, to block suspicious query patterns targeting the search work request feature. 4) Monitoring logs for anomalous database query activity or synchronization errors that may indicate exploitation attempts. 5) Engaging with the Archibus vendor for timely patch releases and applying updates promptly once available. 6) Educating users about the risks of using the app on jailbroken or compromised devices, as these increase exploitation likelihood. 7) Considering temporary disabling of the search work request feature if feasible, to eliminate the attack vector until patched.