CVE-2025-48701 is a medium-severity SQL Injection vulnerability affecting openDCIM, an open-source data center infrastructure management software. The vulnerability exists in the people_depts.php component of openDCIM versions up to and including 23.04. The root cause is the failure to use prepared statements when handling SQL queries, leading to improper neutralization of special elements in SQL commands (CWE-89). This allows an attacker with at least low privileges (PR:L) and network access (AV:N) to inject malicious SQL code without requiring user interaction (UI:N). The vulnerability impacts confidentiality and integrity by potentially allowing unauthorized reading or modification of database contents, but does not affect availability. The CVSS v3.1 base score is 5.4, reflecting a medium severity level. No known exploits are currently reported in the wild, and no official patches or mitigations have been linked yet. The vulnerability’s scope is unchanged (S:U), meaning the impact is limited to the vulnerable component and does not extend beyond the affected system. The vulnerability requires an attacker to have some level of authenticated access, which limits exploitation to insiders or compromised accounts. However, given that openDCIM is often used to manage critical infrastructure data centers, the risk of data leakage or unauthorized data manipulation is significant if exploited.

For European organizations, the impact of this SQL Injection vulnerability in openDCIM could be substantial, particularly for data centers and enterprises relying on openDCIM for managing physical infrastructure, asset tracking, and capacity planning. Exploitation could lead to unauthorized disclosure of sensitive infrastructure data, modification of records, or escalation of privileges within the management system. This could disrupt operational integrity, cause mismanagement of data center resources, or facilitate further attacks on critical infrastructure. Given the increasing regulatory focus on data protection and operational security in Europe (e.g., GDPR, NIS Directive), such a vulnerability could also lead to compliance violations and reputational damage. While the vulnerability does not directly impact availability, the indirect effects on operational processes and trustworthiness of infrastructure data could be severe.

European organizations using openDCIM should immediately audit their deployments to identify affected versions (up to 23.04). Since no official patches are currently linked, organizations should implement compensating controls such as: 1) Restricting access to the openDCIM management interface to trusted internal networks and authenticated users only. 2) Implementing strict input validation and sanitization at the web application firewall (WAF) or reverse proxy level to block suspicious SQL syntax patterns targeting people_depts.php. 3) Monitoring database query logs and application logs for anomalous or unexpected SQL commands indicative of injection attempts. 4) Enforcing the principle of least privilege for openDCIM user accounts to limit the potential damage from compromised credentials. 5) Preparing for rapid patch deployment once an official fix is released by the openDCIM project. Additionally, organizations should consider isolating openDCIM instances from other critical systems to contain potential breaches.