CVE-2025-5170 is a SQL Injection vulnerability identified in version 4.5 of the llisoft MTA Maita Training System, specifically within the AdminShitiListRequestVo function of the AdminShitiController.java file. The vulnerability arises due to improper sanitization or validation of the 'stTypeIds' parameter, which is directly used in SQL queries. This flaw allows an unauthenticated remote attacker to inject malicious SQL code, potentially manipulating the database queries executed by the application. The vulnerability is remotely exploitable without user interaction and does not require elevated privileges, increasing its risk profile. Although the CVSS 4.0 base score is 5.3 (medium severity), the vulnerability impacts confidentiality, integrity, and availability to a limited extent, as indicated by the low to medium impact metrics. The vendor has not responded to the disclosure, and no patches or mitigations have been publicly released. No known exploits are currently observed in the wild, but the public disclosure of the exploit code increases the risk of exploitation by threat actors.

For European organizations using the llisoft MTA Maita Training System 4.5, this vulnerability could lead to unauthorized access or manipulation of sensitive training data stored within the system's database. Attackers could extract confidential information, alter training content, or disrupt system availability by executing arbitrary SQL commands. This could undermine the integrity of training records, compliance reporting, and operational continuity. Given that the vulnerability does not require authentication or user interaction, attackers can remotely exploit it with relative ease, increasing the risk of widespread compromise. Organizations in sectors such as education, corporate training, and government agencies relying on this system may face data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed or altered.

Since no official patch is available, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'stTypeIds' parameter. Input validation and sanitization should be enforced at the application layer, ideally by restricting input formats and employing parameterized queries or prepared statements if source code access is possible. Network segmentation can limit exposure of the vulnerable system to only trusted internal users. Additionally, organizations should monitor logs for suspicious database query patterns and unusual application behavior indicative of exploitation attempts. Engaging with the vendor for updates and planning for an upgrade or replacement of the affected system is critical. Regular backups of the database should be maintained to enable recovery in case of data tampering.