CVE-2025-40985 is a high-severity SQL Injection vulnerability (CWE-89) found in SCATI Vision Web, a product by SCATI Labs, affecting versions from 4.8 up to 7.2. The vulnerability specifically exists in the 'login' parameter of the endpoint '/scatevision_web/index.php/loginForm'. An attacker can exploit this flaw by injecting malicious SQL code into the login parameter, which is improperly sanitized or neutralized before being used in SQL commands. This improper neutralization allows unauthorized extraction of data from the backend database without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 8.3, indicating a high impact with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality is high, as data exfiltration is possible, while integrity and availability impacts are limited or none. No known exploits are reported in the wild yet, and no patches have been published at the time of disclosure. The vulnerability was reserved in April 2025 and published in July 2025. SCATI Vision Web is typically used in video management and security monitoring systems, often deployed in critical infrastructure and public safety environments, making this vulnerability particularly sensitive.

For European organizations, the exploitation of this SQL Injection vulnerability could lead to unauthorized disclosure of sensitive data stored in SCATI Vision Web databases. Given that SCATI Vision Web is used in security and surveillance systems, attackers could gain access to confidential video footage, user credentials, or configuration data, potentially undermining physical security and privacy compliance obligations such as GDPR. The breach of such data could result in operational disruptions, reputational damage, regulatory fines, and loss of trust. Furthermore, attackers might leverage the extracted information to facilitate further attacks within the network. The high attack complexity somewhat limits exploitation but does not require authentication or user interaction, increasing the risk of remote exploitation. The absence of known exploits currently provides a window for mitigation before widespread attacks occur. Organizations relying on SCATI Vision Web for critical monitoring should prioritize addressing this vulnerability to prevent data breaches and maintain security posture.

European organizations should immediately conduct an inventory to identify all instances of SCATI Vision Web versions 4.8 through 7.2 in their environment. Since no official patches are available yet, organizations should implement compensating controls such as: 1) Restricting network access to the SCATI Vision Web application to trusted IP ranges and internal networks only, minimizing exposure to the internet. 2) Deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the '/scatevision_web/index.php/loginForm' endpoint and the 'login' parameter. 3) Monitoring application logs and network traffic for unusual or suspicious activities indicative of SQL injection attempts. 4) Applying strict input validation and sanitization at the application or proxy level if possible. 5) Planning for immediate patch deployment once SCATI releases an official fix. Additionally, organizations should review database permissions to ensure the SCATI application uses least privilege principles, limiting the potential damage from successful exploitation. Conducting security awareness training for administrators managing SCATI Vision Web systems is also advisable to recognize and respond to potential exploitation attempts.