CVE-2025-61548 is a critical SQL Injection vulnerability identified in edu Business Solutions Print Shop Pro WebDesk version 18.34. The vulnerability exists in the hfInventoryDistFormID parameter within the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint. The root cause is the failure to sanitize user input before incorporating it into SQL queries, leading to direct injection of malicious SQL commands. This lack of parameterization or escaping enables remote attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion, and even full system compromise. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, increasing the risk and ease of exploitation. The CVSS v3.1 score of 9.8 reflects the critical nature of this flaw, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H), integrity (I:H), and availability (A:H). Although no known exploits are currently reported in the wild, the severity and simplicity of exploitation make it a high-priority issue. The vulnerability was reserved in September 2025 and published in January 2026. The vendor has addressed the issue in version 19.69, and users of affected versions should upgrade immediately. The CWE classification is CWE-89, which corresponds to SQL Injection vulnerabilities.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized access to sensitive business and customer data, data corruption or deletion, and disruption of print shop operations. Given that Print Shop Pro WebDesk is used for managing print shop workflows and inventory, a successful attack could halt critical business processes, cause financial losses, and damage organizational reputation. The high impact on confidentiality, integrity, and availability means that attackers could steal confidential information, manipulate pricing or inventory data, and cause denial of service. This is particularly concerning for organizations handling sensitive or regulated data under GDPR, as breaches could lead to regulatory penalties. Additionally, the ability to execute arbitrary SQL commands remotely without authentication increases the attack surface, making it easier for cybercriminals or state-sponsored actors to target these systems. The lack of known exploits in the wild does not reduce urgency, as public disclosure often leads to rapid development of exploit code.

European organizations should immediately upgrade edu Business Solutions Print Shop Pro WebDesk to version 19.69 or later, where the vulnerability is fixed. If immediate patching is not feasible, implement the following mitigations: 1) Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting the hfInventoryDistFormID parameter and the affected endpoint. 2) Conduct thorough input validation and sanitization at the application layer, ensuring all user inputs are properly parameterized and escaped before database queries. 3) Restrict network access to the affected endpoint by limiting exposure to trusted internal networks or VPNs only. 4) Monitor logs for unusual or suspicious SQL query patterns or repeated failed attempts to access the vulnerable endpoint. 5) Perform regular security assessments and penetration testing focused on injection vulnerabilities. 6) Educate development teams on secure coding practices to prevent similar issues in future releases. 7) Maintain up-to-date backups to enable recovery in case of data corruption or deletion.