CVE-2023-7022 is a critical SQL Injection vulnerability identified in Tongda OA 2017, specifically affecting versions 11.0 through 11.9. The vulnerability resides in the file general/work_plan/manage/delete_all.php, where the DELETE_STR parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This flaw enables remote exploitation without requiring authentication or user interaction, making it highly accessible to threat actors. The vulnerability falls under CWE-89, which pertains to improper neutralization of special elements used in SQL commands. Exploiting this vulnerability could allow an attacker to manipulate the backend database, potentially leading to unauthorized data disclosure, data modification, or even complete compromise of the application’s data integrity and availability. Although no official patch or vendor response has been issued, the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects an unknown functionality within the application, but given the nature of the affected file (work plan management), it likely impacts critical business workflow data. No known exploits have been reported in the wild yet, but the public availability of the exploit code elevates the threat level.

For European organizations using Tongda OA 2017, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of sensitive business data managed within the OA system. Successful exploitation could lead to unauthorized access to internal documents, manipulation or deletion of work plans, and potential lateral movement within the corporate network. This could disrupt business operations, cause data breaches involving personal or proprietary information, and damage organizational reputation. Given that Tongda OA is an office automation platform often used in government, education, and enterprise environments, the impact could be severe in sectors handling sensitive or regulated data. The lack of vendor response and patches increases the window of exposure, making timely mitigation critical. Additionally, the remote and unauthenticated nature of the exploit lowers the barrier for attackers, including opportunistic cybercriminals and advanced persistent threat groups targeting European entities.

1. Immediate mitigation should include restricting external access to the affected Tongda OA 2017 instances by implementing network-level controls such as IP whitelisting or VPN-only access to reduce exposure. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the DELETE_STR parameter, focusing on the delete_all.php endpoint. 3. Conduct thorough input validation and sanitization on all user-supplied parameters, especially DELETE_STR, to neutralize SQL injection payloads. 4. If possible, disable or restrict the functionality associated with delete_all.php until a vendor patch or official fix is available. 5. Monitor application logs for suspicious SQL queries or unusual activity related to work plan management functions. 6. Consider deploying database activity monitoring tools to detect anomalous queries indicative of injection attempts. 7. Engage in proactive threat hunting and incident response readiness to quickly identify and contain any exploitation attempts. 8. Evaluate alternative OA solutions or upgrade paths if vendor support remains unavailable, to ensure long-term security and compliance.