CVE-2025-10197 is a SQL Injection vulnerability identified in the HJSoft HCM Human Resources Management System, specifically affecting versions up to 20250822. The vulnerability exists in an unspecified functionality related to the file path /templates/attestation/../../selfservice/lawresource/downlawbase, where manipulation of the 'ID' argument allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, as attackers can potentially extract sensitive HR data, modify records, or disrupt system operations. The vendor has not responded to early disclosure attempts, and although no public exploit is confirmed in the wild, proof-of-concept code has been made available, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3, categorizing this as a medium severity vulnerability. The vulnerability's scope is limited to the HJSoft HCM product, which is a specialized Human Resources Management System, likely used by organizations managing employee data and HR workflows.

For European organizations using HJSoft HCM, this vulnerability poses a significant risk to sensitive employee data, including personal identification, payroll, and legal compliance information. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service, undermining trust and potentially violating GDPR and other data protection regulations. The ability to remotely exploit the vulnerability without user interaction or authentication increases the threat level, especially for organizations with externally accessible HR portals. Compromise of HR systems can also facilitate lateral movement within corporate networks, potentially exposing broader enterprise assets. The lack of vendor response and absence of patches exacerbate the risk, leaving European entities exposed until mitigations or updates are available.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Restricting external access to the affected HR system via network segmentation and firewall rules, limiting exposure to trusted internal networks only. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in the vulnerable endpoint. 3) Conducting thorough input validation and sanitization at the application layer if customization is possible. 4) Monitoring logs for anomalous query patterns or repeated access attempts to the vulnerable URL path. 5) Planning for rapid deployment of vendor patches once available and maintaining close communication with HJSoft for updates. 6) Considering temporary migration or isolation of critical HR data until the vulnerability is remediated. 7) Conducting employee awareness to recognize potential phishing or social engineering attempts that might leverage this vulnerability.