CVE-2025-5176 is a critical SQL Injection vulnerability identified in the Realce Tecnologia Queue Ticket Kiosk product, specifically affecting versions up to 20250517. The vulnerability resides in the Admin Login Page component, within the /adm/index.php file. The flaw is triggered by manipulation of the 'Usuário' parameter, which is insufficiently sanitized, allowing an attacker to inject malicious SQL commands. This injection can be exploited remotely without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the backend database, potentially allowing attackers to extract sensitive data, modify or delete records, or disrupt service operations. Despite the critical nature of the flaw, the vendor has not responded to disclosure attempts, and no patches or mitigations have been published. No known exploits are currently reported in the wild, but the ease of exploitation and lack of vendor response increase the risk of future exploitation. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the vulnerability's significant impact but limited scope due to the specific affected component and product. The Queue Ticket Kiosk is typically used in environments managing customer queues and ticketing, making the integrity and availability of the system crucial for operational continuity.

For European organizations using the Realce Tecnologia Queue Ticket Kiosk, this vulnerability poses a substantial risk. The SQL Injection could lead to unauthorized access to sensitive customer data, including personally identifiable information (PII), which would have serious implications under the EU's GDPR regulations, potentially resulting in heavy fines and reputational damage. Operational disruption caused by data manipulation or denial of service could affect service delivery in public-facing environments such as government offices, healthcare facilities, or transportation hubs where queue management systems are critical. The ability to exploit this vulnerability remotely without authentication increases the attack surface, making it easier for threat actors to target these systems. Additionally, compromised kiosks could be leveraged as pivot points for lateral movement within organizational networks, escalating the overall risk posture. The lack of vendor response and absence of patches further exacerbate the threat, leaving organizations exposed until mitigations are implemented independently.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the 'Usuário' parameter in the /adm/index.php endpoint. Network segmentation should isolate the Queue Ticket Kiosk systems from critical backend infrastructure to limit potential lateral movement. Organizations should conduct thorough input validation and sanitization at the application level if they have the capability to modify the source code or request vendor support. Regular monitoring of logs for suspicious SQL queries or unusual access patterns is essential to detect exploitation attempts early. Restricting access to the admin interface by IP whitelisting or VPN-only access can reduce exposure. Additionally, organizations should prepare incident response plans tailored to potential data breaches stemming from this vulnerability. Finally, maintaining up-to-date backups of the database and system configurations will aid in recovery if an attack occurs.