CVE-2025-41370 is a critical SQL injection vulnerability affecting TESI's Gandia Integra Total software versions from 2.1.2217.3 up to 4.4.2236.1. The vulnerability resides in the 'idestudio' parameter within the /encuestas/integraweb/html/view/acceso.php endpoint. An authenticated attacker can exploit this flaw to perform unauthorized SQL commands, enabling them to retrieve, create, update, or delete database records. This indicates improper neutralization of special elements used in SQL commands (CWE-89), allowing malicious input to alter the intended SQL query logic. The CVSS 4.0 score of 9.3 (critical) reflects the vulnerability's high impact and ease of exploitation, as it requires no privileges or user interaction (AV:N/AC:L/PR:N/UI:N) and affects confidentiality, integrity, and availability at a high level. Although no known exploits are currently reported in the wild, the vulnerability's presence in a widely used enterprise software product that manages survey or data collection functionalities poses a significant risk. Attackers could leverage this to compromise backend databases, potentially exposing sensitive data, corrupting records, or disrupting service availability. The lack of available patches at the time of disclosure further elevates the urgency for mitigation.

For European organizations using Gandia Integra Total, this vulnerability could lead to severe data breaches, including unauthorized access to sensitive survey or user data stored in backend databases. The ability to modify or delete data threatens data integrity and could disrupt business operations reliant on accurate data collection and reporting. Confidentiality breaches may result in regulatory non-compliance, especially under GDPR, leading to legal and financial repercussions. Availability impacts could arise if attackers delete or corrupt critical data, causing service outages or loss of functionality. Given the software's role in data management, organizations in sectors such as education, public administration, and market research across Europe could face operational disruptions and reputational damage if exploited.

Immediate mitigation steps include implementing strict input validation and parameterized queries or prepared statements to neutralize malicious SQL inputs in the 'idestudio' parameter. Organizations should restrict access to the vulnerable endpoint to trusted users only and monitor logs for suspicious SQL activity. Network-level controls such as Web Application Firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this parameter. Since no official patches are available, organizations should engage with TESI for timelines on security updates and consider temporary compensating controls like isolating the affected system or limiting database permissions to minimize potential damage. Regular backups of databases should be maintained to enable recovery in case of data tampering. Additionally, conducting security audits and penetration testing focused on this vulnerability can help identify exploitation attempts.