CVE-2025-12287 identifies a SQL injection vulnerability in the Bdtask Wholesale Inventory Control and Inventory Management System, specifically affecting version 20251013 and earlier. The vulnerability resides in the /Admin_dashboard/edit_profile endpoint, where the parameters first_name and last_name are susceptible to injection due to insufficient input sanitization. An attacker with authenticated access (high privileges) can remotely manipulate these parameters to inject malicious SQL queries, potentially allowing unauthorized data access or modification within the backend database. The vulnerability has been publicly disclosed, but no patches or vendor responses have been provided, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1 (medium), reflecting the need for authentication but ease of remote exploitation without user interaction. The impact includes partial compromise of confidentiality, integrity, and availability of inventory data, which could disrupt business operations and lead to data leakage or corruption. No known exploits are currently in the wild, but the public disclosure and lack of vendor mitigation elevate the threat. The vulnerability affects an inventory management system commonly used by wholesale and retail businesses, making it a relevant concern for organizations relying on this software for critical supply chain and inventory operations.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive inventory and business data, potentially resulting in data breaches, financial losses, and operational disruptions. Wholesale and retail companies using the affected Bdtask system may face risks of inventory manipulation, loss of data integrity, and exposure of confidential supplier or customer information. This could also affect compliance with data protection regulations such as GDPR if personal or sensitive data is compromised. The disruption of inventory management processes could impact supply chain efficiency and business continuity. Given the vendor's lack of response, organizations may face prolonged exposure without official patches, increasing the risk of targeted attacks. The medium severity score suggests a moderate but tangible risk, especially in environments where the affected system is critical to daily operations.

Organizations should immediately audit their use of the Bdtask Wholesale Inventory Control and Inventory Management System to identify affected versions. Since no official patch is available, apply compensating controls such as: 1) Restrict access to the /Admin_dashboard/edit_profile endpoint to trusted administrators only via network segmentation or firewall rules. 2) Implement Web Application Firewalls (WAF) with custom rules to detect and block SQL injection patterns targeting the vulnerable parameters. 3) Conduct thorough input validation and sanitization on the server side if customization is possible. 4) Monitor database logs and application logs for unusual queries or errors indicative of injection attempts. 5) Enforce strong authentication and limit administrative privileges to reduce the attack surface. 6) Consider isolating the affected system from critical networks until a vendor patch or secure update is available. 7) Prepare incident response plans for potential exploitation scenarios. 8) Engage with the vendor or community for updates or unofficial patches. These steps go beyond generic advice by focusing on network-level controls, monitoring, and access restrictions tailored to this vulnerability’s characteristics.