CVE-2024-54761 is a SQL Injection vulnerability found in BigAnt Office Messenger version 5.6.06. The vulnerability arises from improper sanitization of the 'dev_code' parameter, which is used in backend SQL queries without adequate validation or parameterization. An attacker can exploit this flaw by crafting malicious input that alters the intended SQL command, potentially allowing unauthorized access to or manipulation of the application's database. The vulnerability is remotely exploitable over the network without requiring authentication, but it does require user interaction, such as clicking a malicious link or sending a crafted message that triggers the injection. The CVSS 3.1 score of 6.3 reflects a medium severity impact, with partial loss of confidentiality, integrity, and availability. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Currently, there are no known exploits in the wild, and no official patches have been released. This vulnerability poses a risk to organizations using BigAnt Office Messenger for internal communications, as exploitation could lead to data leakage, unauthorized data modification, or disruption of messaging services.

The SQL Injection vulnerability could allow attackers to extract sensitive information from the database, modify or delete data, or disrupt the availability of the messaging service. This could lead to exposure of confidential communications, loss of data integrity, and potential denial of service conditions. For organizations relying on BigAnt Office Messenger for critical internal communications, this could result in operational disruptions and reputational damage. Since the vulnerability requires user interaction but no authentication, phishing or social engineering could be used to facilitate exploitation. The absence of known exploits reduces immediate risk, but the lack of patches means the vulnerability remains a persistent threat. Attackers targeting sectors with sensitive communications, such as government, finance, or healthcare, could leverage this flaw to gain footholds or exfiltrate data.

Organizations should implement strict input validation and sanitization for all user-supplied data, especially parameters like 'dev_code'. Employing parameterized queries or prepared statements in the application's database interactions can prevent SQL Injection. Until an official patch is released, network-level protections such as web application firewalls (WAFs) should be configured to detect and block SQL Injection attempts targeting the vulnerable parameter. User awareness training to recognize phishing or suspicious messages can reduce the risk of exploitation via user interaction. Monitoring database logs and application behavior for unusual queries or errors can help detect attempted exploitation. Organizations should maintain an inventory of affected software versions and plan for timely updates once patches become available. Engaging with the vendor for status on patch releases and applying them promptly is critical.