CVE-2024-28297 identifies a SQL injection vulnerability in AzureSoft MyHorus version 4.3.5. SQL injection (CWE-89) occurs when untrusted input is improperly sanitized before being included in SQL queries, allowing attackers to manipulate backend database commands. This vulnerability permits unauthenticated remote attackers to execute arbitrary SQL commands, potentially exposing or leaking sensitive data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates that the attack can be performed over the network without authentication or user interaction, with low attack complexity. The impact is primarily on confidentiality, as attackers can read sensitive information but cannot modify data or disrupt availability. The exact input vectors are unspecified, but the presence of this vulnerability suggests insufficient input validation in one or more database query parameters. No patches or exploit code are currently available, but the high severity score and ease of exploitation make this a critical issue for affected users. The vulnerability was reserved in March 2024 and published in August 2024, reflecting recent discovery. Organizations relying on AzureSoft MyHorus 4.3.5 should prioritize risk assessment and implement compensating controls while awaiting vendor remediation.

The primary impact of CVE-2024-28297 is unauthorized disclosure of sensitive data stored in the backend database of AzureSoft MyHorus 4.3.5. Attackers exploiting this vulnerability can execute arbitrary SQL queries, potentially extracting confidential information such as user credentials, business data, or configuration details. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach can lead to further attacks, including identity theft, fraud, or lateral movement within networks. Organizations worldwide using this software in critical environments—such as finance, healthcare, or government—face increased risk of data breaches and compliance violations. The ease of exploitation without authentication or user interaction broadens the attack surface, making automated scanning and exploitation feasible. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant threat until patched. Failure to address this issue promptly could result in reputational damage, regulatory penalties, and operational risks.

Until an official patch is released by AzureSoft, organizations should implement the following specific mitigations: 1) Conduct a thorough audit of all input fields and parameters interacting with the database to identify potential injection points and apply strict input validation and sanitization. 2) Employ Web Application Firewalls (WAFs) with custom rules designed to detect and block SQL injection patterns targeting MyHorus endpoints. 3) Restrict database user permissions to the minimum necessary, avoiding use of highly privileged accounts for application database connections. 4) Monitor database logs and application logs for unusual query patterns or error messages indicative of injection attempts. 5) Segment and isolate systems running MyHorus to limit lateral movement in case of compromise. 6) Educate development and security teams on secure coding practices to prevent injection flaws in future releases. 7) Engage with AzureSoft support channels for updates and apply patches immediately upon availability. 8) Consider temporary disabling or restricting access to vulnerable modules if feasible. These targeted actions go beyond generic advice by focusing on compensating controls and proactive detection tailored to this specific vulnerability.