CVE-2025-52047 is a SQL Injection vulnerability identified in Frappe ErpNext version 15.57.5, specifically within the function get_income_account() located in the erpnext/controllers/queries.py file. The vulnerability arises due to improper sanitization or validation of user input passed through the filters.disabled parameter, which is used in constructing SQL queries. An attacker can exploit this flaw by injecting malicious SQL code into the filters.disabled parameter, enabling them to manipulate the underlying database query. This manipulation can lead to unauthorized extraction of sensitive information from the database, potentially exposing all stored data. Since ErpNext is an open-source ERP system widely used for managing business processes such as accounting, inventory, and human resources, the exposure of its database could lead to significant data breaches including financial records, employee information, and operational data. The vulnerability does not currently have a CVSS score, and no public exploits have been reported yet. However, the nature of SQL Injection vulnerabilities inherently poses a high risk due to their potential for data exfiltration and system compromise. The lack of authentication requirements or user interaction details is not explicitly stated, but typically, such injection points in ERP query functions may be accessible via authenticated API calls or web interfaces, increasing the risk if access controls are weak or misconfigured. No official patches or mitigations have been linked yet, indicating that organizations using the affected version should prioritize investigation and protective measures.

For European organizations, the impact of this vulnerability could be severe. ERP systems like ErpNext often contain critical business data, including financial transactions, customer details, supplier contracts, and employee records. Exploitation could lead to data breaches violating GDPR regulations, resulting in legal penalties and reputational damage. The ability to extract all database information could also facilitate further attacks such as identity theft, fraud, or corporate espionage. Additionally, compromised ERP systems might disrupt business operations, affecting supply chains and financial reporting. Given the stringent data protection laws in Europe and the increasing regulatory scrutiny, any data leakage from ERP platforms can have significant compliance and financial consequences. Organizations in sectors such as manufacturing, retail, and services that rely heavily on ERP solutions are particularly at risk. Furthermore, the exposure of sensitive financial data could attract attention from cybercriminal groups targeting European enterprises for financial gain or geopolitical motives.

To mitigate this vulnerability, European organizations should first identify if they are running the affected version of Frappe ErpNext (v15.57.5). Immediate steps include: 1) Restricting access to the ERP system interfaces that accept the filters.disabled parameter, ensuring only trusted and authenticated users can interact with these endpoints. 2) Implementing Web Application Firewalls (WAFs) with SQL Injection detection and prevention rules tailored to detect anomalous input patterns targeting the filters.disabled parameter. 3) Conducting thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries, to prevent injection attacks. 4) Monitoring database query logs for unusual or suspicious queries that could indicate exploitation attempts. 5) Applying the principle of least privilege on database accounts used by the ERP application, limiting their ability to perform unauthorized data access or modifications. 6) Engaging with the ErpNext community or vendor for official patches or updates addressing this vulnerability and applying them promptly once available. 7) Performing regular security assessments and penetration testing focused on injection vulnerabilities within ERP modules. These measures combined will reduce the attack surface and help detect or prevent exploitation of this SQL Injection flaw.