CVE-2025-41371 is a critical SQL injection vulnerability identified in TESI's Gandia Integra Total software, affecting versions from 2.1.2217.3 up to 4.4.2236.1. The vulnerability resides in the 'idestudio' parameter within the /encuestas/integraweb_v4/integra/html/view/acceso.php endpoint. An authenticated attacker can exploit this flaw to perform unauthorized SQL commands, enabling them to retrieve, create, update, or delete database records. This vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), allowing malicious input to alter the intended SQL query logic. The CVSS 4.0 base score of 9.3 reflects the high severity, with network attack vector, low attack complexity, and no privileges or user interaction required, combined with high impacts on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's characteristics suggest it could be weaponized to compromise sensitive data, disrupt services, or manipulate stored information within affected installations. Given that Gandia Integra Total is used for survey and data management, exploitation could lead to significant data breaches or operational disruptions.

For European organizations using Gandia Integra Total, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive data, including personal or organizational information stored within the application databases, violating GDPR and other data protection regulations. Integrity of data could be compromised, leading to falsified records or corrupted datasets, which can affect decision-making and operational reliability. Availability may also be impacted if attackers delete or alter critical data, potentially causing downtime or loss of service. The fact that exploitation requires authentication slightly reduces risk from external attackers but does not eliminate it, as insider threats or compromised credentials could be leveraged. Organizations in sectors relying on accurate survey data or integrated data management, such as public administration, healthcare, or research institutions, may face reputational damage and regulatory penalties if exploited.

To mitigate this vulnerability, organizations should prioritize upgrading TESI Gandia Integra Total to a version where the vulnerability is patched once available. In the interim, implement strict input validation and sanitization on the 'idestudio' parameter to prevent injection of malicious SQL code. Employ web application firewalls (WAFs) configured to detect and block SQL injection patterns targeting this endpoint. Enforce strong authentication mechanisms and monitor for unusual access patterns or privilege escalations. Regularly audit database access logs for suspicious queries or modifications. Additionally, apply the principle of least privilege to database accounts used by the application, limiting their ability to perform destructive operations. Conduct security awareness training to reduce risks from credential compromise. Finally, maintain up-to-date backups to enable recovery in case of data tampering or loss.