CVE-2025-40635 is a critical SQL injection vulnerability (CWE-89) found in Comerzzia Backoffice: Sales Orchestrator version 3.0.15. This vulnerability exists in the '/comerzzia/login' endpoint, specifically in the handling of the parameters 'uidActivity', 'codCompany', and 'uidInstance'. Due to improper neutralization of special elements in SQL commands, an unauthenticated attacker can exploit this flaw to execute arbitrary SQL queries against the backend database. This allows the attacker to retrieve, create, update, or delete data within the database, potentially compromising the confidentiality, integrity, and availability of the affected system's data. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the ease of exploitation and the critical impact make it a significant risk. Comerzzia Backoffice: Sales Orchestrator is a business management tool, likely used by organizations to manage sales operations, making the data and operational disruption risks substantial if exploited.

For European organizations using Comerzzia Backoffice: Sales Orchestrator 3.0.15, this vulnerability poses a severe risk. Exploitation could lead to unauthorized access to sensitive business data, including sales records, customer information, and company operational data. Attackers could manipulate or delete critical data, disrupting business processes and causing financial loss. The ability to execute arbitrary SQL commands without authentication increases the risk of widespread data breaches and potential compliance violations under regulations such as GDPR. Additionally, operational disruption could affect supply chains and customer relations. The critical nature of the vulnerability means that organizations relying on this software for sales orchestration must prioritize remediation to avoid reputational damage and legal consequences.

1. Immediate upgrade or patching: Organizations should check for and apply any official patches or updates from Comerzzia addressing this vulnerability. If no patch is available, consider upgrading to a later, unaffected version. 2. Input validation and parameterization: Review and enhance input validation on the affected parameters ('uidActivity', 'codCompany', 'uidInstance') to ensure proper sanitization and use of parameterized queries or prepared statements to prevent SQL injection. 3. Web application firewall (WAF): Deploy or update WAF rules to detect and block SQL injection attempts targeting the '/comerzzia/login' endpoint. 4. Network segmentation and access controls: Restrict access to the Sales Orchestrator application to trusted networks and users to reduce exposure. 5. Monitoring and logging: Implement detailed logging of database queries and application access, and monitor for unusual activity indicative of exploitation attempts. 6. Incident response readiness: Prepare to respond quickly to any signs of compromise, including data exfiltration or unauthorized changes. 7. Vendor engagement: Engage with Comerzzia for guidance and support, and to receive timely updates on patches or mitigations.