CVE-2025-11316 identifies a SQL injection vulnerability in the Tipray Data Leakage Prevention System (DLP) version 1.0, developed by 厦门天锐科技股份有限公司. The vulnerability resides in the findCategoryPage function within the findCategoryPage.do file. Specifically, the tenantId parameter is improperly sanitized, allowing an attacker to inject malicious SQL code remotely. This flaw does not require authentication or user interaction, making it easier to exploit. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. The vulnerability can lead to partial compromise of confidentiality, integrity, and availability, potentially exposing sensitive data or enabling unauthorized database modifications. The vendor was contacted but has not issued any patches or advisories, and no known exploits have been observed in the wild yet. Given the nature of DLP systems, which are critical for protecting sensitive information, exploitation could have significant consequences. The lack of vendor response and patch availability increases the urgency for affected organizations to implement alternative mitigations.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive data protected by the Tipray DLP system, undermining data confidentiality and integrity. Attackers could extract or manipulate data, potentially causing data breaches or compliance violations under regulations such as GDPR. The availability of the DLP system might also be impacted, disrupting data protection workflows. Since the vulnerability can be exploited remotely without authentication, attackers could target exposed systems over the internet or internal networks. Organizations relying on this DLP product for critical data protection may face increased risk of intellectual property theft, regulatory penalties, and reputational damage. The absence of vendor patches means organizations must rely on compensating controls to mitigate risk until a fix is available.

1. Immediately restrict network access to the affected Tipray DLP system, limiting connections to trusted internal IPs and using firewalls or network segmentation to reduce exposure. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the tenantId parameter in findCategoryPage.do. 3. Conduct thorough input validation and sanitization on all user-supplied parameters, especially tenantId, if custom modifications or reverse engineering are possible. 4. Monitor logs for unusual database queries or error messages indicative of SQL injection attempts. 5. If feasible, deploy database activity monitoring tools to detect anomalous queries. 6. Engage with the vendor continuously for patch updates or official mitigations. 7. Consider isolating or temporarily disabling the vulnerable functionality if it is not critical to operations. 8. Prepare incident response plans specific to potential data leakage or integrity compromise scenarios related to this vulnerability. 9. Evaluate alternative DLP solutions if vendor support remains absent.