CVE-2025-5433 is a SQL Injection vulnerability identified in Fengoffice Feng Office version 3.5.1.5, specifically within the /index.php?c=account&a=set_timezone endpoint. The vulnerability arises from improper sanitization of the 'tz_offset' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker with low privileges (PR:L) to execute arbitrary SQL commands on the backend database without requiring user interaction. The vulnerability affects confidentiality, integrity, and availability of the affected system, as attackers could potentially extract sensitive data, modify or delete records, or disrupt service availability. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that while the attack vector is network-based and requires no user interaction, it does require some level of privileges (low privileges) and has limited impact on confidentiality, integrity, and availability. The vendor has not responded to the disclosure, and no official patch or mitigation guidance has been published yet. Although no known exploits are currently reported in the wild, public disclosure of the exploit code increases the risk of exploitation. Given the nature of Feng Office as a collaborative project management and office suite platform, exploitation could lead to unauthorized access to project data, user information, and potentially sensitive business documents stored within the system.

For European organizations using Feng Office 3.5.1.5, this vulnerability poses a significant risk to the confidentiality and integrity of their project management and collaboration data. Successful exploitation could lead to data breaches involving sensitive business information, unauthorized data manipulation, or service disruption. This is particularly critical for sectors handling regulated or sensitive data such as finance, healthcare, legal, and government entities. The ability to remotely exploit this vulnerability without user interaction increases the attack surface, especially for organizations exposing Feng Office to the internet. Additionally, the lack of vendor response and absence of patches means organizations must rely on internal mitigations, increasing operational risk. The medium CVSS score suggests moderate risk, but the real-world impact could be higher depending on the deployment context and data sensitivity. Organizations could face compliance issues under GDPR if personal data is compromised, leading to potential legal and reputational consequences.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include: 1) Restricting external access to the Feng Office application by using network-level controls such as VPNs, IP whitelisting, or firewall rules to limit exposure. 2) Implementing web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'tz_offset' parameter. 3) Conducting thorough input validation and sanitization at the application or proxy level if possible, to filter malicious payloads. 4) Monitoring application logs for unusual database errors or suspicious activity related to the vulnerable endpoint. 5) Planning and prioritizing an upgrade or patch deployment once the vendor releases a fix or considering alternative project management solutions if a timely patch is unavailable. 6) Educating internal security teams about this vulnerability to enhance incident detection and response capabilities. 7) Regularly backing up critical data to enable recovery in case of data integrity compromise.