CVE-2025-14190 identifies a SQL injection vulnerability in Chanjet TPlus, a business management software product, specifically in version 20251121 and earlier. The flaw is located in an unknown functionality accessed through the HTTP endpoint /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx with the query parameter method=Load. The vulnerability stems from improper input validation and sanitization of the currentAccId parameter, which is directly incorporated into SQL queries. This allows an unauthenticated remote attacker to inject malicious SQL code, potentially manipulating the database to retrieve, modify, or delete sensitive information. The attack vector requires no user interaction and can be initiated over the network, increasing the risk of automated exploitation. Although no confirmed exploits are currently active in the wild, proof-of-concept exploits have been published, raising the likelihood of future attacks. The vendor has been contacted but has not issued any response or patch, leaving systems exposed. The CVSS 4.0 base score is 6.9, reflecting a medium severity level due to the network attack vector, lack of required privileges or user interaction, but limited impact on confidentiality, integrity, and availability. The vulnerability affects the confidentiality, integrity, and availability of data to a limited extent, as indicated by the CVSS vector. Organizations using Chanjet TPlus should be aware of this risk and implement compensating controls until an official patch is released.

For European organizations, this vulnerability poses a moderate risk, particularly for those using Chanjet TPlus in finance, accounting, or enterprise resource planning functions. Successful exploitation could lead to unauthorized disclosure of sensitive financial data, unauthorized modification of records, or disruption of business operations. This could result in regulatory compliance violations under GDPR due to data breaches, financial losses, reputational damage, and operational downtime. The lack of vendor response and absence of patches increase the exposure window. Organizations with interconnected systems or those relying heavily on Chanjet TPlus for critical business processes are at higher risk. Attackers could leverage this vulnerability to gain footholds in corporate networks or exfiltrate data. The remote, unauthenticated nature of the exploit makes it accessible to a wide range of threat actors, including opportunistic attackers and advanced persistent threats targeting European enterprises.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the vulnerable endpoint by using firewalls or web application firewalls (WAFs) to block or filter suspicious requests targeting the currentAccId parameter. 2) Employing input validation and sanitization proxies or reverse proxies that can detect and block SQL injection patterns. 3) Monitoring logs for unusual or malformed requests to the affected endpoint to detect potential exploitation attempts. 4) Conducting internal code reviews or penetration testing to identify and mitigate similar injection flaws in customizations or integrations. 5) Isolating the Chanjet TPlus system within segmented network zones to limit lateral movement if compromised. 6) Preparing incident response plans specific to SQL injection attacks and ensuring backups are current and tested. 7) Engaging with Chanjet support channels persistently to obtain updates or patches. 8) Considering temporary migration to alternative software solutions if feasible, until the vulnerability is remediated. These measures should be combined to reduce the attack surface and detect exploitation attempts proactively.