CVE-2025-52049 is a medium severity SQL Injection vulnerability identified in Frappe ErpNext version 15.57.5, specifically within the function get_timesheet_detail_rate() located in the erpnext/projects/doctype/timesheet/timesheet.py file. This vulnerability arises due to improper sanitization or validation of the 'timelog' parameter, which is used in constructing SQL queries. An attacker can exploit this flaw by injecting malicious SQL code into the 'timelog' parameter, enabling unauthorized extraction of sensitive information from the underlying database. The vulnerability does not require any authentication or user interaction, and it can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact primarily affects confidentiality and integrity, allowing data leakage and potential unauthorized data manipulation, but it does not affect availability. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The vulnerability is classified under CWE-89, which corresponds to SQL Injection flaws. Given the critical role of ErpNext as an open-source ERP system widely used for business management, exploitation of this vulnerability could lead to significant data breaches and compromise of business operations.

For European organizations utilizing Frappe ErpNext, this vulnerability poses a significant risk to the confidentiality and integrity of their business data, including sensitive project timesheets and potentially other linked database information. Unauthorized data extraction could lead to exposure of proprietary business information, employee data, and financial records, which could result in regulatory non-compliance under GDPR and other data protection laws. The integrity impact could allow attackers to manipulate timesheet data, potentially affecting payroll and project management accuracy. Although availability is not directly impacted, the breach of sensitive data could damage organizational reputation and trust. Given the remote exploitation capability without authentication, attackers could target exposed ErpNext instances, especially those accessible over the internet without adequate network protections. This vulnerability could also be leveraged as a foothold for further attacks within the corporate network.

European organizations should immediately audit their use of Frappe ErpNext, specifically checking for version 15.57.5 or earlier versions that might be affected. Until an official patch is released, organizations should implement the following mitigations: 1) Restrict network access to ErpNext instances by enforcing strict firewall rules and VPN-only access to reduce exposure to the internet; 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'timelog' parameter; 3) Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries; 4) Monitor database query logs for unusual or suspicious activity indicative of injection attempts; 5) Regularly back up critical data and verify backup integrity to enable recovery in case of data manipulation; 6) Engage with the ErpNext community or vendor to track patch releases and apply updates promptly once available; 7) Consider deploying runtime application self-protection (RASP) tools to detect and block injection attacks in real time. These steps go beyond generic advice by focusing on immediate containment and proactive detection tailored to this specific vulnerability.