The vulnerability CVE-2025-60062 in mmetrodw tPlayer (up to version 1.2.1.6) is an SQL Injection flaw caused by improper neutralization of special elements in SQL commands. This allows remote attackers to inject malicious SQL queries without authentication or user interaction, potentially leading to unauthorized disclosure of sensitive data and partial denial of service. The CVSS 3.1 base score is 9.3, reflecting critical severity with network attack vector and low complexity. No patch or official fix information is currently available, and no exploits have been observed in the wild.

Successful exploitation could allow an unauthenticated attacker to execute injected SQL commands, resulting in unauthorized access to sensitive information (confidentiality impact) and limited disruption of service (availability impact). Integrity is not impacted according to the CVSS vector. The vulnerability is critical due to ease of exploitation and potential data exposure.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected application, applying web application firewall (WAF) rules to detect and block SQL injection attempts, and monitoring for suspicious activity related to SQL injection. Avoid deploying affected versions in exposed environments where possible.