CVE-2025-52390 is a SQL Injection vulnerability identified in the Saurus CMS Community Edition, specifically within the `prepareSearchQuery()` method of the `FulltextSearch.class.php` file. This vulnerability arises because the application directly concatenates user-supplied input, namely the `$search_word` parameter, into SQL queries without any sanitization or parameterization. As a result, an attacker can manipulate the SQL query logic by injecting malicious SQL code. This can lead to unauthorized data access, including extraction of sensitive information stored in the database, or potentially allow privilege escalation if the database user has sufficient permissions. The vulnerability has been present since at least April 23, 2010, as indicated by the commit reference. No patch or fix is currently linked, and no known exploits have been reported in the wild as of the publication date. The absence of a CVSS score means the severity must be assessed based on the nature of the vulnerability and its potential impact. SQL Injection vulnerabilities are critical because they directly affect the confidentiality, integrity, and availability of data. Exploitation typically requires no authentication and can be performed remotely by submitting crafted input to the vulnerable search functionality. The scope includes all installations of Saurus CMS Community Edition that use the affected code, which may be deployed in various organizational contexts.

For European organizations using Saurus CMS Community Edition, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive data such as user credentials, personal data protected under GDPR, or business-critical information. This could result in regulatory penalties, reputational damage, and operational disruption. Additionally, attackers might leverage the vulnerability to escalate privileges within the CMS or underlying systems, potentially leading to further compromise or persistent access. Given the long presence of the vulnerability and lack of known patches, organizations may be exposed if they have not implemented compensating controls. The impact is heightened for sectors with strict data protection requirements, such as finance, healthcare, and government entities within Europe. Furthermore, exploitation could facilitate lateral movement within networks, increasing the overall risk posture of affected organizations.

To mitigate this vulnerability, European organizations should first identify all instances of Saurus CMS Community Edition in their environment. Since no official patch is currently available, immediate steps include: 1) Implementing Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the search functionality, focusing on suspicious input patterns in the `$search_word` parameter. 2) Conducting code reviews and applying manual sanitization or parameterization of SQL queries in the `prepareSearchQuery()` method, replacing direct concatenation with prepared statements or parameterized queries. 3) Restricting database user permissions to the minimum necessary, limiting the potential damage from exploitation. 4) Monitoring logs for unusual query patterns or errors indicative of injection attempts. 5) Planning for an upgrade or migration to a CMS version or alternative platform that addresses this vulnerability. 6) Educating developers and administrators about secure coding practices to prevent similar issues. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and practical compensations until an official patch is released.