CVE-2025-29267 is a SQL Injection vulnerability identified in the Adjutant Core Accounting ERP software developed by Abis, Inc. The affected version is indicated as a PreBeta250F build, suggesting this vulnerability exists in a pre-release or early development version of the product. The vulnerability arises from improper sanitization of the 'cid' parameter in HTTP GET requests, which allows a remote attacker to inject malicious SQL code. Exploiting this flaw, an attacker can retrieve sensitive information from the backend database without requiring any authentication or user interaction. The vulnerability is classified under CWE-89, which corresponds to SQL Injection, a well-known attack vector that can compromise confidentiality and integrity of data. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) reveals that the attack can be performed remotely over the network with low attack complexity, no privileges, and no user interaction required. The impact affects confidentiality and integrity but does not affect availability. No patches or known exploits in the wild have been reported yet. Given the nature of ERP systems, which typically store critical financial and operational data, this vulnerability could lead to unauthorized data disclosure and potential manipulation of accounting records if exploited.

For European organizations using the Adjutant Core Accounting ERP, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive financial data. Unauthorized access to accounting information could lead to data breaches involving personally identifiable information (PII), financial fraud, and regulatory non-compliance, especially under GDPR requirements. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the impact is limited to data disclosure and modification without system downtime. However, given the critical role of ERP systems in business operations, any compromise could disrupt financial reporting and audit processes, potentially causing reputational damage and financial losses. Organizations in sectors with stringent compliance obligations, such as banking, insurance, and public administration, may face heightened risks. Additionally, the lack of available patches increases the urgency for organizations to implement compensating controls to mitigate exploitation risks.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'cid' parameter. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially GET parameters, at the application level. 3) Restricting database user permissions to the minimum necessary to limit the impact of any injection. 4) Monitoring application logs and network traffic for unusual query patterns or repeated access attempts to the vulnerable endpoint. 5) If feasible, temporarily disabling or restricting access to the vulnerable functionality until a patch is released. 6) Engaging with the vendor for updates and applying patches promptly once available. 7) Performing regular security assessments and penetration testing focused on injection flaws to proactively identify and remediate similar vulnerabilities.