CVE-2025-4738 is a critical SQL Injection vulnerability (CWE-89) found in Yirmibes Software's MY ERP product, affecting versions prior to 1.170. The vulnerability arises due to improper neutralization of special elements in SQL commands, allowing an attacker to inject malicious SQL code. This flaw enables remote attackers to execute arbitrary SQL queries without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts confidentiality, integrity, and availability of the affected systems, with potential for data exfiltration, unauthorized data modification, and disruption of ERP services. MY ERP is an enterprise resource planning system, which typically manages critical business functions such as finance, supply chain, and human resources. Exploitation could lead to severe operational and financial damage. Although no known exploits are currently observed in the wild, the high CVSS score (9.8) and ease of exploitation make this a significant threat that demands immediate attention. The lack of available patches at the time of publication increases risk exposure for organizations using affected versions.

For European organizations, the impact of this vulnerability is substantial due to the critical role ERP systems play in business operations. Successful exploitation could result in unauthorized access to sensitive corporate data, including financial records, employee information, and proprietary business processes. Data integrity could be compromised by unauthorized modifications, potentially leading to incorrect financial reporting or supply chain disruptions. Availability of ERP services could be affected through denial-of-service conditions caused by malicious queries. Given the interconnected nature of ERP systems with other enterprise applications, the breach could cascade, affecting broader IT infrastructure. Regulatory compliance risks are also significant, especially under GDPR, where data breaches involving personal data can lead to heavy fines and reputational damage. European organizations in manufacturing, retail, logistics, and finance sectors that rely on MY ERP are particularly vulnerable. The absence of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation.

1. Immediate upgrade to MY ERP version 1.170 or later once patches are released by Yirmibes Software. 2. Until patches are available, implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting MY ERP endpoints. 3. Conduct thorough input validation and sanitization on all user-supplied data interfacing with the ERP system, employing parameterized queries or prepared statements where possible. 4. Restrict network access to the MY ERP application to trusted internal networks and VPNs to reduce exposure to external attackers. 5. Monitor database logs and application logs for unusual query patterns indicative of SQL injection attempts. 6. Perform regular security assessments and penetration testing focused on SQL injection vulnerabilities within MY ERP. 7. Educate IT and security teams on the specific risks associated with this vulnerability to ensure rapid detection and response. 8. Implement database user privilege minimization, ensuring the ERP application operates with the least privileges necessary to limit potential damage from exploitation.