CVE-2024-45918 is a critical SQL Injection vulnerability identified in the Fujian Kelixin Communication Command and Dispatch Platform, specifically affecting versions up to 7.6.6.4391. The vulnerability resides in the /client/get_gis_fence.php endpoint, which fails to properly sanitize user-supplied input before incorporating it into SQL queries. This improper input validation allows remote attackers to inject malicious SQL code without requiring authentication or user interaction. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 9.8, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Successful exploitation can lead to full compromise of the backend database, enabling attackers to read, modify, or delete sensitive data, and potentially escalate to full system control. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a prime target for attackers. The lack of available patches at the time of publication increases the urgency for organizations to implement interim mitigations. Given the platform's use in communication command and dispatch, the impact on operational continuity and data confidentiality is substantial.

The impact of CVE-2024-45918 is severe for organizations using the Fujian Kelixin Communication Command and Dispatch Platform. Exploitation can lead to unauthorized disclosure of sensitive information, including operational data and possibly personal or classified information. Attackers could alter or delete critical data, disrupting communication and dispatch operations, which may have cascading effects on emergency response, public safety, or organizational command functions. The vulnerability also opens the door for attackers to gain deeper access into the affected systems, potentially leading to full system compromise. Given the critical role of the platform in communication and dispatch, such disruptions could result in operational downtime, loss of trust, regulatory penalties, and significant financial and reputational damage. The ease of exploitation without authentication or user interaction further elevates the risk, making widespread attacks plausible if the vulnerability is weaponized.

1. Immediate mitigation should focus on restricting access to the /client/get_gis_fence.php endpoint via network segmentation and access control lists to limit exposure to trusted IP addresses only. 2. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting this endpoint. 3. Implement strict input validation and sanitization on all user inputs, especially those interacting with SQL queries, to neutralize malicious payloads. 4. Monitor database logs and application logs for anomalous queries or repeated failed attempts indicative of exploitation attempts. 5. Coordinate with Fujian Kelixin for official patches or updates and apply them promptly once available. 6. Conduct security assessments and penetration testing focused on injection flaws to identify any other vulnerable endpoints. 7. Educate system administrators and security teams about this vulnerability and ensure incident response plans are updated to handle potential exploitation scenarios. 8. Consider deploying database activity monitoring tools to detect and alert on suspicious SQL commands in real time.