CVE-2025-54396 is a SQL Injection vulnerability identified in Netwrix Directory Manager (formerly known as Imanami GroupID) versions prior to 11.1.25162.02. This vulnerability allows authenticated users to inject malicious SQL code into the application's database queries. Since the flaw requires authentication, an attacker must first gain valid user credentials or exploit an account with legitimate access. Once authenticated, the attacker can manipulate SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability affects version 11.0.0.0 up to but not including 11.1.25162.02, indicating that the vendor has addressed the issue in the later patch releases. No public exploits are currently known to be in the wild, but the presence of SQL Injection in a directory management tool is concerning due to the sensitive nature of the data typically managed by such software, including user identities, group memberships, and access permissions. The lack of a CVSS score means the severity must be assessed based on the impact and exploitability factors. The vulnerability does not require user interaction beyond authentication, and the scope is limited to systems running the vulnerable versions of Netwrix Directory Manager. The absence of patch links in the provided data suggests that users should verify with the vendor for the latest updates and remediation instructions.

For European organizations, this vulnerability poses a significant risk due to the critical role directory management tools play in identity and access management (IAM). Successful exploitation could lead to unauthorized disclosure of sensitive identity data, unauthorized privilege escalation, or manipulation of access controls, potentially enabling lateral movement within enterprise networks. This could result in breaches of personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, compromised directory data could disrupt business operations by affecting authentication and authorization processes. Organizations in sectors with stringent compliance requirements, such as finance, healthcare, and government, are particularly at risk. The requirement for authentication limits the attack surface to insiders or attackers who have already compromised credentials, but this does not diminish the threat, as credential theft is a common attack vector. The lack of known exploits in the wild provides a window for proactive mitigation before widespread exploitation occurs.

European organizations should immediately verify their Netwrix Directory Manager version and upgrade to version 11.1.25162.02 or later where the vulnerability is patched. If immediate upgrade is not feasible, implement strict access controls to limit the number of users with authentication privileges to the application, enforce strong multi-factor authentication (MFA) to reduce the risk of credential compromise, and monitor application logs for unusual SQL query patterns or failed authentication attempts. Network segmentation should be applied to isolate the directory management system from less trusted network zones. Additionally, conduct regular security assessments and penetration testing focused on IAM components to detect potential injection flaws. Organizations should also review and harden database permissions to ensure the application account has the minimum necessary privileges, limiting the impact of any successful injection. Finally, maintain up-to-date backups of directory data to enable recovery in case of data tampering.