CVE-2025-66440 identifies a critical SQL Injection vulnerability in the open-source ERP system Frappe ERPNext, specifically affecting versions through 15.89.0. The vulnerability resides in the get_outstanding_reference_documents() function located in erpnext/accounts/doctype/payment_entry/payment_entry.py. The issue arises because the to_posting_date parameter is directly interpolated into an SQL query string without any form of input validation, sanitization, or use of parameterized queries. This unsafe coding practice allows an attacker to inject arbitrary SQL payloads, enabling them to extract sensitive information from the backend database or potentially manipulate data. The vulnerability is exploitable remotely over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact includes full compromise of confidentiality, integrity, and availability of the ERP system’s data. Although no known exploits are currently in the wild, the critical CVSS score of 9.8 reflects the high risk posed by this vulnerability. The root cause aligns with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The lack of available patches necessitates urgent remediation efforts by ERPNext users. Given ERPNext’s widespread use in business process management, especially in finance and accounting modules, exploitation could lead to significant data breaches and operational disruption.

For European organizations, the impact of CVE-2025-66440 could be substantial. ERPNext is widely used by small to medium enterprises and some larger organizations for managing accounting, payments, and other critical business functions. Successful exploitation could lead to unauthorized disclosure of sensitive financial data, manipulation of payment records, and disruption of business operations. This could result in regulatory non-compliance under GDPR due to data breaches, financial losses, reputational damage, and potential legal consequences. Organizations in sectors such as finance, manufacturing, retail, and public administration that rely on ERPNext for transactional workflows are particularly vulnerable. The ability to exploit this vulnerability remotely without authentication increases the attack surface, making it attractive for cybercriminals and potentially nation-state actors targeting European economic infrastructure. The lack of known public exploits currently provides a window for proactive defense, but the critical severity demands immediate attention to prevent future exploitation.

To mitigate CVE-2025-66440, organizations should immediately audit their ERPNext installations to identify affected versions (up to 15.89.0). Since no official patches are currently available, users should implement temporary mitigations such as disabling or restricting access to the vulnerable get_outstanding_reference_documents() functionality if feasible. Applying web application firewalls (WAF) with SQL Injection detection rules can help block malicious payloads targeting the to_posting_date parameter. Developers and administrators should review the source code to replace unsafe string interpolation with parameterized queries or prepared statements to ensure proper input sanitization. Network segmentation and strict access controls on the ERPNext database can limit the blast radius of a successful attack. Monitoring logs for unusual database queries or access patterns related to payment_entry.py functions is recommended. Organizations should subscribe to ERPNext security advisories for timely patch releases and plan for rapid deployment once available. Conducting penetration testing focused on SQL Injection vectors in ERPNext environments will help validate the effectiveness of mitigations.