OpenSTAManager, an open source management software widely used for technical assistance and invoicing, contains a critical SQL injection vulnerability identified as CVE-2025-69216. The vulnerability exists in versions 2.9.8 and earlier within the Scadenzario (Payment Schedule) print template, specifically in the templates/scadenzario/init.php file. The root cause is the direct concatenation of the id_anagrafica parameter into an SQL query without proper sanitization or parameterization, violating secure coding practices and CWE-89 standards. This improper neutralization of special elements in SQL commands allows any authenticated user to perform error-based SQL injection attacks. Exploiting this vulnerability enables attackers to extract sensitive data from the backend database, including administrator credentials, customer information, and financial records, effectively compromising the confidentiality and integrity of the system. The CVSS 4.0 base score of 8.7 reflects the high severity, with an attack vector of network, low attack complexity, no user interaction, and privileges required limited to authentication. The vulnerability does not require additional user interaction beyond login, making it easier to exploit once credentials are obtained. While no public exploits are currently known, the potential impact is significant due to the sensitive nature of the data accessible. The vulnerability affects all deployments running vulnerable versions of OpenSTAManager, which are typically used by small to medium enterprises for managing technical assistance and invoicing workflows. The lack of an official patch at the time of disclosure necessitates immediate mitigation efforts to prevent exploitation.

For European organizations, this vulnerability poses a substantial risk to the confidentiality and integrity of sensitive business data, including financial records and customer information. Exploitation could lead to data breaches, financial fraud, and unauthorized access to administrative functions, potentially disrupting business operations and damaging reputations. Given that OpenSTAManager is used primarily by SMEs for invoicing and technical support management, affected organizations may face regulatory compliance issues under GDPR due to exposure of personal and financial data. The availability of the system could also be indirectly impacted if attackers leverage the vulnerability to corrupt data or escalate privileges. The ease of exploitation by any authenticated user increases the threat level, especially in environments with weak access controls or shared credentials. European SMEs, which form a significant portion of the economy, may be particularly vulnerable if they rely on this software without timely remediation. Additionally, the exposure of administrative credentials could facilitate further lateral movement within corporate networks, amplifying the impact.

Until an official patch is released, European organizations should implement the following specific mitigations: 1) Restrict access to the Scadenzario print template functionality to only trusted and necessary users, minimizing the attack surface. 2) Enforce strong authentication and session management policies to prevent unauthorized access. 3) Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the id_anagrafica parameter. 4) Conduct code reviews and apply manual input validation or parameterized queries in the affected PHP file if possible, to sanitize inputs before database queries. 5) Monitor database and application logs for unusual query patterns or error messages indicative of SQL injection attempts. 6) Educate users about the risks of credential sharing and enforce least privilege principles. 7) Plan for an immediate upgrade to a patched version once available, and test updates in a controlled environment before deployment. 8) Consider isolating the OpenSTAManager instance within a segmented network zone to limit potential lateral movement in case of compromise.