CVE-2025-6918 is a critical SQL Injection vulnerability (CWE-89) found in Ncvav Virtual PBX Software versions prior to 09.07.2025. The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing an attacker to inject malicious SQL code into the backend database queries executed by the PBX software. This flaw enables remote attackers to execute arbitrary SQL commands without any authentication or user interaction, due to the vulnerability being remotely exploitable over the network with low attack complexity. The CVSS 3.1 base score of 9.8 reflects the critical nature of this issue, with high impact on confidentiality, integrity, and availability. Exploitation can lead to unauthorized data disclosure, data modification, deletion, or complete compromise of the underlying database and potentially the PBX system itself. Given that PBX systems handle telephony signaling and call routing, a successful attack could disrupt voice communications, leak sensitive call records, or allow attackers to manipulate call handling. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make this a high-risk vulnerability requiring immediate attention. The lack of available patches at the time of publication further increases the urgency for mitigation.

For European organizations, the impact of this vulnerability is significant, especially for enterprises, service providers, and government agencies relying on Ncvav Virtual PBX Software for their telephony infrastructure. Compromise of PBX systems can lead to interception of sensitive communications, disruption of business operations due to call service outages, and exposure of confidential call metadata or user credentials stored in the database. This can result in regulatory non-compliance, particularly under GDPR, due to unauthorized access to personal data. Additionally, attackers could leverage this vulnerability as a foothold to pivot into internal networks, escalating the risk of broader compromise. The critical nature of the vulnerability means that organizations face potential financial losses, reputational damage, and operational downtime if exploited.

Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the PBX management interfaces by implementing strict firewall rules and network segmentation to limit exposure to trusted IP addresses only. 2) Employing Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) with signatures or heuristics to detect and block SQL injection attempts targeting the PBX software. 3) Conducting thorough input validation and sanitization on any user-supplied data interacting with the PBX system, if customization or scripting is possible. 4) Monitoring logs for unusual database query patterns or errors indicative of injection attempts. 5) Planning for rapid deployment of vendor patches once released and testing them in controlled environments before production rollout. 6) Considering temporary migration to alternative PBX solutions if risk tolerance is low and exposure is high. 7) Educating IT and security teams about the vulnerability to ensure prompt detection and response.