CVE-2025-13168 is a SQL injection vulnerability identified in the ury-erp ury product, specifically affecting versions 0.1 and 0.2.0. The vulnerability resides in the overrided_past_order_list function of the ury/ury/api/pos_extend.py file, where the search_term argument is improperly sanitized, allowing an attacker to inject malicious SQL queries. This flaw can be exploited remotely without requiring authentication or user interaction, making it accessible to a wide range of attackers. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The impact includes potential unauthorized access to sensitive data, modification or deletion of database records, and disruption of service availability. The vendor responded promptly and professionally, releasing version 0.2.1 with a patch identified by commit 063384e0dddfd191847cd2d6524c342cc380b058 to remediate the issue. Although no active exploitation has been reported, the public availability of exploit code increases the urgency for affected users to upgrade. The vulnerability does not require privileges or user interaction, and the attack vector is network-based, increasing the risk profile. The scope is limited to the ury-erp ury product installations running vulnerable versions.

For European organizations, the SQL injection vulnerability in ury-erp ury could lead to unauthorized disclosure of sensitive business data, manipulation or deletion of critical ERP records, and potential downtime of ERP services. This could disrupt business operations, supply chain management, and financial processes, especially for companies relying heavily on ury-erp for order management and point-of-sale functions. Data breaches resulting from exploitation may lead to regulatory penalties under GDPR due to exposure of personal or corporate data. The medium severity rating reflects partial compromise potential, but the ease of remote exploitation without authentication raises concerns for organizations with exposed ERP interfaces. The availability of public exploit code further elevates the risk of targeted attacks or opportunistic scanning by threat actors. Organizations in sectors such as manufacturing, retail, and logistics that use ury-erp could face operational and reputational damage if exploited.

European organizations using ury-erp ury should immediately upgrade to version 0.2.1 or later, which contains the official patch for CVE-2025-13168. In addition to patching, organizations should implement network-level protections such as restricting access to ERP interfaces via firewalls or VPNs to limit exposure to untrusted networks. Employing web application firewalls (WAFs) with SQL injection detection rules can provide an additional layer of defense against exploitation attempts. Conduct thorough input validation and sanitization reviews for any custom extensions or integrations with ury-erp to prevent similar injection flaws. Regularly audit ERP logs for suspicious query patterns indicative of injection attempts. Finally, ensure backups of ERP databases are maintained and tested to enable recovery in case of data corruption or deletion resulting from an attack.