CVE-2024-12146 is a SQL Injection vulnerability classified under CWE-89, found in the Finder Fire Safety Finder ERP/CRM (New System) product versions before 18.12.2024. The vulnerability arises from improper neutralization of special characters in SQL commands, allowing attackers to inject arbitrary SQL code. This flaw can be exploited remotely over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation compromises the confidentiality of the backend database by enabling unauthorized data extraction, but does not affect data integrity or system availability. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity. No public exploits have been reported yet, but the ease of exploitation and potential impact make it a critical concern. The ERP/CRM system is likely used to manage sensitive business and operational data related to fire safety services, making the exposure of such data particularly damaging. The lack of available patches at the time of reporting necessitates immediate mitigation efforts by affected organizations. The vulnerability underscores the importance of secure coding practices such as input validation and the use of parameterized queries to prevent SQL Injection attacks.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive business, client, and operational data managed within the Finder ERP/CRM system. This could result in loss of competitive advantage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and reputational damage. Fire safety companies and related sectors relying on this ERP/CRM may face operational disruptions if sensitive data is exposed or leveraged for further attacks. The confidentiality breach could also expose personal data of European citizens, triggering legal and financial consequences under European data protection laws. Given the remote and unauthenticated nature of the exploit, attackers can easily target exposed systems, increasing the risk of widespread compromise. The absence of known exploits currently provides a window for proactive defense, but the high severity score indicates that the threat should be treated with urgency.

1. Apply vendor patches immediately once they become available for versions prior to 18.12.2024. 2. Until patches are released, restrict external network access to the ERP/CRM system using firewalls and VPNs to limit exposure. 3. Implement Web Application Firewalls (WAFs) with rules designed to detect and block SQL Injection attempts targeting the ERP/CRM endpoints. 4. Conduct thorough input validation and sanitize all user-supplied data in the application code, employing parameterized queries or prepared statements to prevent injection. 5. Perform regular security assessments and code reviews focusing on SQL query construction and input handling. 6. Monitor logs for unusual database query patterns or repeated failed attempts indicative of injection attacks. 7. Educate development and IT teams on secure coding practices and the risks of SQL Injection. 8. Consider network segmentation to isolate the ERP/CRM system from other critical infrastructure to limit lateral movement in case of compromise.