This vulnerability (CVE-2025-32573) in Kiotviet KiotViet Sync is classified as CWE-89 (SQL Injection). It allows an attacker with low privileges to inject malicious SQL commands due to improper sanitization of input used in SQL queries. The affected product versions include all up to 1.8.3. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) indicates network attack vector, low attack complexity, requiring low privileges, no user interaction, scope changed, high confidentiality impact, no integrity impact, and low availability impact. No patch or official remediation level has been published by the vendor, and the product is not a cloud service, so remediation depends on vendor updates or user-applied fixes.

Successful exploitation could allow an attacker with low privileges to execute arbitrary SQL commands on the backend database, leading to a complete confidentiality breach of the database contents. Integrity is not impacted, and availability impact is low. This could expose sensitive data stored in the database to unauthorized parties.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary workaround is currently available, users should monitor vendor communications for updates. Until a patch is released, consider restricting access to the affected application to trusted users only and applying any available input validation or web application firewall rules that might mitigate SQL injection attempts.