CVE-2025-12249 identifies a CSV Injection vulnerability in Axosoft Scrum and Bug Tracking version 22.1.1.11545, specifically in the Edit Ticket Page component where the 'Title' field input is not properly sanitized. CSV Injection occurs when untrusted input is embedded into CSV files as formulas or commands, which spreadsheet software like Microsoft Excel or LibreOffice Calc may execute upon opening. This vulnerability allows remote attackers to craft malicious 'Title' values that, when exported and opened by users, can execute arbitrary code or commands, potentially leading to data theft, corruption, or further network compromise. The vulnerability requires no authentication or user interaction to be exploited, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no user interaction, and partial impacts on confidentiality, integrity, and availability. Despite early vendor notification, no patch or mitigation guidance has been provided, and public exploit code is available, increasing the likelihood of exploitation. This vulnerability is particularly concerning for organizations relying on Axosoft for project and bug tracking, as it can undermine data integrity and facilitate further attacks through malicious CSV exports.

For European organizations, this vulnerability poses risks primarily to the confidentiality and integrity of project management and bug tracking data. Attackers can inject malicious formulas into exported CSV files, which when opened by employees, can execute arbitrary commands or scripts, potentially leading to credential theft, malware deployment, or lateral movement within corporate networks. This can disrupt software development workflows, compromise sensitive project data, and damage organizational reputation. Given the remote exploitability and lack of required user interaction, the threat can propagate quickly once a malicious CSV is distributed internally. Organizations in sectors with high reliance on agile development tools, such as finance, telecommunications, and government, may face increased operational risks. The absence of a vendor patch increases exposure duration, making timely mitigation critical. Additionally, the medium CVSS score reflects moderate but tangible risks that could escalate if combined with other vulnerabilities or social engineering tactics.

European organizations should implement specific mitigations beyond generic advice: 1) Sanitize all user inputs in the 'Title' field and other CSV-exported fields to neutralize formula characters such as '=', '+', '-', and '@' by prefixing with a single quote or removing them. 2) Restrict CSV export functionality to trusted users and monitor export logs for unusual activity. 3) Educate users to open CSV files in safe modes or use spreadsheet software settings that disable automatic formula execution. 4) Implement network-level controls to detect and block suspicious outbound connections that may result from malicious CSV payload execution. 5) Regularly audit and review exported CSV files for injected formulas or anomalies. 6) Engage with Axosoft support channels to seek updates or patches and consider temporary migration to alternative tools if feasible. 7) Employ endpoint detection and response (EDR) solutions to identify and contain any exploitation attempts. These targeted actions will reduce the risk of exploitation and limit potential damage.