CVE-2025-11311 identifies a SQL injection vulnerability in version 1.0 of Tipray 厦门天锐科技股份有限公司's Data Leakage Prevention System (天锐数据泄露防护系统). The vulnerability resides in the findTenantPage function within the findTenantPage.do endpoint, specifically through improper handling of the 'sort' parameter. This parameter is vulnerable to injection of malicious SQL code because it lacks proper input validation or sanitization. An attacker can exploit this remotely without requiring authentication or user interaction, making it accessible over the network. Successful exploitation could allow attackers to execute arbitrary SQL queries against the backend database, potentially leading to unauthorized data disclosure, data modification, or disruption of service. The vendor was notified early but has not issued a patch or response, and no known exploits have been observed in the wild yet. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction needed. The vulnerability impacts confidentiality, integrity, and availability to a limited extent due to the scope of the affected function and the nature of the system. Given the product's role in data leakage prevention, exploitation could ironically undermine the very data protection it is designed to enforce.

For European organizations, this vulnerability poses a significant risk to the security of sensitive data managed by the Tipray Data Leakage Prevention System. Exploitation could lead to unauthorized access to confidential information, manipulation of data leakage prevention policies, or disruption of data protection mechanisms. This could result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial penalties. Organizations relying on this system for critical data protection may face increased exposure to insider threats or external attackers leveraging this vulnerability to bypass controls. The lack of vendor response and patch availability increases the risk window. Additionally, the remote and unauthenticated nature of the exploit means attackers can attempt exploitation from outside the network, increasing the threat surface. The medium severity score suggests that while the impact is serious, it may be limited by the specific deployment context and the extent of the vulnerable functionality.

European organizations should implement immediate compensating controls given the absence of an official patch. Specific recommendations include: 1) Implement strict input validation and sanitization on the 'sort' parameter at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads. 2) Restrict database user permissions associated with the application to the minimum necessary, preventing unauthorized data modification or extraction. 3) Employ network segmentation to isolate the Data Leakage Prevention System from less trusted networks and limit exposure. 4) Monitor logs and network traffic for anomalous queries or patterns indicative of SQL injection attempts targeting the findTenantPage.do endpoint. 5) Consider deploying runtime application self-protection (RASP) solutions to detect and block injection attacks in real time. 6) Engage with the vendor for updates or consider alternative solutions if the vendor remains unresponsive. 7) Conduct regular security assessments and penetration tests focusing on injection vulnerabilities within the system. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter and the operational context of the affected product.