CVE-2025-10090 is a SQL Injection vulnerability identified in Jinher OA versions up to 1.2. The vulnerability resides in an unspecified function within the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx. Specifically, the flaw allows an attacker to manipulate the 'ID' argument in a way that leads to SQL Injection, enabling unauthorized database queries. The attack vector is remote and does not require any authentication or user interaction, making exploitation straightforward. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity. The CVSS vector indicates that the attack can be performed over the network (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is low, suggesting limited but non-negligible data exposure or modification potential. Although no public exploits are currently known in the wild, proof-of-concept code has been published, increasing the risk of exploitation. Jinher OA is an office automation software product, likely used by organizations for internal management and workflow automation. The vulnerability could allow attackers to extract sensitive information from the backend database or modify data, potentially disrupting business processes or leaking confidential organizational data.

For European organizations using Jinher OA versions 1.0 to 1.2, this vulnerability poses a moderate risk. Successful exploitation could lead to unauthorized access to internal databases, potentially exposing sensitive employee, operational, or customer data. While the impact on availability is low, data integrity and confidentiality could be compromised, affecting trust and compliance with data protection regulations such as GDPR. The lack of required authentication means attackers can exploit this remotely without prior access, increasing exposure. Organizations in sectors with high regulatory scrutiny or handling sensitive information (e.g., finance, healthcare, government) may face reputational damage and legal consequences if exploited. Additionally, the presence of published exploit code could accelerate attack attempts, especially targeting unpatched systems. However, the medium severity and low impact ratings suggest that the vulnerability is unlikely to cause widespread disruption or critical system failures but should still be addressed promptly to avoid data breaches.

To mitigate this vulnerability, European organizations should immediately identify and inventory all instances of Jinher OA versions 1.0, 1.1, and 1.2 in their environment. Since no official patches are currently linked, organizations should contact Jinher for security updates or advisories. In the interim, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /C6/Jhsoft.Web.departments/GetTreeDate.aspx endpoint, specifically monitoring the 'ID' parameter. Conduct thorough input validation and sanitization on all user-supplied inputs, particularly the 'ID' argument, to prevent injection attacks. Employ database least privilege principles to limit the impact of any successful injection. Regularly monitor logs for anomalous queries or access patterns. Additionally, consider network segmentation to isolate the OA system from critical infrastructure and restrict external access where possible. Finally, prepare incident response plans to quickly address any exploitation attempts.