CVE-2025-56700 is a Boolean SQL injection vulnerability identified in the Centrax Open PSIM version 6.1 web application developed by Base Digitale Group spa. The vulnerability arises from improper sanitization of the 'datafine' parameter, which is used in SQL queries without adequate validation or parameterization. A low-privileged user who has legitimate access to the platform can exploit this flaw to inject arbitrary SQL commands. This can lead to unauthorized data retrieval, modification, or deletion within the backend database, potentially compromising the confidentiality and integrity of sensitive information managed by the PSIM system. Since the vulnerability requires authentication but only low-level privileges, it lowers the barrier for exploitation compared to unauthenticated attacks. The lack of a published patch or mitigation guidance increases the risk for organizations currently using this version. Although no known exploits have been reported in the wild, the nature of SQL injection vulnerabilities makes them attractive targets for attackers aiming to escalate privileges or extract sensitive data. The absence of a CVSS score necessitates an independent severity assessment based on the impact on confidentiality, integrity, and availability, the ease of exploitation, and the scope of affected systems.

For European organizations, especially those in critical infrastructure sectors such as transportation, energy, and public safety that rely on PSIM solutions like Centrax Open PSIM, this vulnerability poses a significant risk. Exploitation could allow attackers to access sensitive operational data, manipulate security event information, or disrupt system functionality, potentially leading to operational downtime or compromised security monitoring. The ability for a low-privileged authenticated user to execute arbitrary SQL commands increases the threat surface, as insider threats or compromised user accounts could be leveraged to exploit this vulnerability. This could result in data breaches, loss of data integrity, and erosion of trust in security systems. Given the strategic importance of PSIM platforms in managing physical security and incident response, the impact extends beyond IT systems to physical safety and regulatory compliance. Organizations may face legal and reputational consequences if sensitive data is exposed or if security operations are disrupted.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization for the 'datafine' parameter and any other user-supplied inputs within the Centrax Open PSIM web application. Employing prepared statements or parameterized queries can effectively prevent SQL injection attacks. Access controls should be reviewed and tightened to ensure that users have the minimum necessary privileges, reducing the risk posed by low-level users. Monitoring and logging database queries and user activities can help detect suspicious behavior indicative of exploitation attempts. Until an official patch is released, consider deploying web application firewalls (WAFs) with custom rules to block SQL injection patterns targeting the vulnerable parameter. Additionally, conduct regular security assessments and penetration testing focused on injection flaws. Organizations should engage with Base Digitale Group spa for updates and patches and plan for timely application of security updates once available.