CVE-2025-10197 is a medium-severity SQL Injection vulnerability affecting the HJSoft HCM Human Resources Management System, specifically versions up to 20250822. The vulnerability resides in an unspecified functionality related to the file path /templates/attestation/../../selfservice/lawresource/downlawbase. Manipulation of the 'ID' argument in this context allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L), suggesting that while the attacker can execute SQL commands, the scope of damage is somewhat constrained. The vendor was notified early but has not responded or provided a patch, and a public exploit exists, increasing the risk of exploitation. The vulnerability's CVSS score of 5.3 reflects a moderate risk, primarily due to the ease of exploitation and potential access to sensitive HR data stored within the system. The HCM system typically manages employee records, payroll, and other sensitive personal data, making this vulnerability significant for organizations relying on this software. The lack of vendor response and absence of patches necessitate immediate attention from users of the affected versions.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of sensitive employee data, including personal identification details, payroll information, and potentially other HR-related records. Exploitation could lead to unauthorized data disclosure, data manipulation, or disruption of HR services, impacting business operations and compliance with data protection regulations such as GDPR. Given the critical nature of HR data, a successful attack could result in reputational damage, legal penalties, and financial losses. The remote and unauthenticated nature of the exploit increases the threat, especially for organizations with externally accessible HCM portals. Additionally, the absence of vendor patches means organizations must rely on internal mitigations, increasing operational burden. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise but still represents a significant risk to data security and operational continuity.

Organizations using HJSoft HCM Human Resources Management System up to version 20250822 should immediately implement the following mitigations: 1) Restrict external access to the affected application components, especially the selfservice/lawresource/downlawbase endpoint, using network segmentation and firewall rules. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter. 3) Conduct thorough input validation and sanitization on all user-supplied inputs, particularly the 'ID' argument, to prevent injection attacks. 4) Monitor application logs for suspicious activities indicative of SQL injection attempts. 5) If possible, upgrade to a newer version of the software once the vendor releases a patch or consider alternative HR management solutions with active security support. 6) Implement strict least privilege access controls to limit the database permissions of the application user, minimizing potential damage from exploitation. 7) Educate IT and security teams about this vulnerability to ensure rapid detection and response to any exploitation attempts. Since no official patch is available, these compensating controls are critical to reduce risk.