CVE-2025-59920 is a critical SQL injection vulnerability identified in version 7.0.5 of the 'time at work' software by systems at work. The vulnerability arises from improper neutralization of special elements in the 'IDClient' parameter within a query that retrieves projects assigned to authenticated users. Specifically, the parameter is susceptible to blind SQL injection when the query URL is copied and opened in a new browser window. This flaw allows an authenticated attacker to inject malicious SQL commands. For users with standard privileges, exploitation enables unauthorized querying and extraction of sensitive database information. However, if the attacker has sysadmin privileges (e.g., the TWAdmin user), the vulnerability escalates to allow execution of arbitrary system commands on the host, potentially leading to full system compromise. The attack vector requires network access and authentication but no additional user interaction. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has a CVSS 4.0 score of 8.6, indicating high severity due to its impact on confidentiality, integrity, and availability, combined with low attack complexity and no requirement for user interaction. No patches or public exploits are currently documented, but the risk remains significant due to the potential for privilege escalation and data exfiltration.

For European organizations using 'time at work' version 7.0.5, this vulnerability poses a severe risk to data confidentiality and system integrity. Unauthorized database queries by authenticated users can lead to exposure of sensitive project and client data, potentially violating data protection regulations such as GDPR. If exploited by sysadmin-level users, attackers can execute arbitrary commands on the underlying system, risking full system compromise, data destruction, or lateral movement within the network. This can disrupt business operations, damage reputation, and incur regulatory penalties. The vulnerability's exploitation does not require user interaction, increasing the likelihood of automated or targeted attacks. Organizations in sectors with stringent compliance requirements or critical infrastructure relying on this software are particularly vulnerable. The lack of known public exploits currently limits immediate widespread exploitation but does not diminish the urgency for remediation.

Immediate mitigation steps include upgrading to a patched version of 'time at work' once available from systems at work. In the absence of a patch, organizations should implement strict input validation and parameterized queries to sanitize the 'IDClient' parameter and prevent SQL injection. Restrict access to the application and database to only necessary users and roles, minimizing the number of sysadmin accounts. Employ network segmentation and monitoring to detect anomalous query patterns indicative of SQL injection attempts. Enforce strong authentication and session management to prevent credential compromise. Conduct regular security assessments and code reviews focusing on input handling. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to block suspicious SQL injection payloads targeting this parameter. Finally, maintain comprehensive logging and alerting to facilitate rapid incident response if exploitation is attempted.