CVE-2025-12249 identifies a CSV Injection vulnerability in Axosoft Scrum and Bug Tracking version 22.1.1.11545, specifically within the Edit Ticket Page component. The vulnerability arises when an attacker manipulates the 'Title' field input, which is later exported into CSV files without proper sanitization or escaping. CSV Injection, also known as Formula Injection, occurs when malicious spreadsheet formulas are embedded in CSV data fields. When such CSV files are opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc, the formulas can execute arbitrary commands, potentially leading to data exfiltration, system compromise, or further malware deployment. This vulnerability can be triggered remotely without requiring authentication or user interaction, increasing its risk profile. The vendor was notified but has not issued any patches or mitigation guidance. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the attack vector is network-based with low complexity and no privileges or user interaction needed, but with limited impact on confidentiality, integrity, and availability. No known exploits are currently observed in the wild, but public exploit code availability raises the risk of exploitation. The lack of vendor response and patch availability means organizations must rely on internal controls and mitigations to reduce exposure.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of data managed within Axosoft Scrum and Bug Tracking systems. Attackers could inject malicious formulas into CSV exports, which when opened by users, might execute arbitrary commands or scripts, potentially leading to data leakage or further compromise of user systems. This is particularly concerning for organizations that rely heavily on Axosoft for project management and bug tracking, as sensitive project data or internal communications could be exposed or manipulated. The remote and unauthenticated nature of the exploit increases the attack surface, especially for organizations with externally accessible instances of the affected software. While availability impact is limited, the reputational damage and operational disruption from data integrity breaches could be significant. The absence of vendor patches means prolonged exposure until mitigations are implemented. European entities in sectors such as software development, IT services, and critical infrastructure that use Axosoft products are at heightened risk.

1. Implement strict input validation and sanitization on all user-supplied data fields, especially the 'Title' field in the Edit Ticket Page, to neutralize any characters that could be interpreted as spreadsheet formulas (e.g., '=', '+', '-', '@'). 2. Apply output encoding or escape potentially dangerous characters before exporting data to CSV files to prevent formula execution. 3. Educate users to open CSV files in text editors or spreadsheet applications with formula execution disabled or in protected view modes. 4. Restrict access to the Axosoft Scrum and Bug Tracking web interface to trusted networks and users to reduce exposure to remote attacks. 5. Monitor logs for unusual input patterns or repeated attempts to inject malicious content. 6. If feasible, disable CSV export functionality temporarily until a vendor patch or official fix is available. 7. Maintain up-to-date backups of project data to enable recovery in case of compromise. 8. Engage with the vendor for updates and consider alternative tools if the vendor remains unresponsive. 9. Employ network-level protections such as Web Application Firewalls (WAF) to detect and block injection attempts targeting the vulnerable parameter.