CVE-2025-7636 identifies an SQL Injection vulnerability in Ergosis Security Systems Computer Industry and Trade Inc.'s ZEUS PDKS product, affecting versions earlier than 1.0.5.10. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), allowing attackers to inject malicious SQL code. This can lead to unauthorized data access, modification, or deletion, and potentially full system compromise. The vulnerability is remotely exploitable over the network with low attack complexity and requires only low-level privileges, without any user interaction. The CVSS v3.1 score of 8.8 reflects its high impact on confidentiality, integrity, and availability. The vendor was contacted but did not respond, and no patches or mitigations have been published yet. ZEUS PDKS is used in physical access control and security management, making exploitation potentially impactful on organizational security. The lack of known exploits in the wild does not diminish the urgency due to the ease of exploitation and high impact. Organizations should assume active exploitation attempts could emerge and act accordingly.

For European organizations, exploitation of this vulnerability could result in unauthorized disclosure of sensitive security data, manipulation or deletion of access control records, and disruption of physical security systems managed by ZEUS PDKS. This could lead to unauthorized physical access, data breaches, and operational downtime. Critical infrastructure operators, government agencies, and enterprises relying on Ergosis security solutions are particularly at risk. The compromise of access control systems could have cascading effects on safety and compliance with European data protection regulations such as GDPR. Additionally, the inability to patch promptly increases exposure time, raising the risk of targeted attacks. The high severity and network-exploitable nature mean attackers can leverage this vulnerability to gain footholds in networks, potentially escalating privileges or moving laterally within organizations.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to ZEUS PDKS management interfaces using firewalls and network segmentation to limit exposure to trusted hosts only. 2) Employing Web Application Firewalls (WAFs) or database activity monitoring tools to detect and block suspicious SQL injection attempts. 3) Conducting thorough input validation and sanitization on all user-supplied data interacting with the ZEUS PDKS system if customization or integration is possible. 4) Monitoring logs for anomalous database queries or access patterns indicative of exploitation attempts. 5) Preparing incident response plans specific to access control system compromise. 6) Engaging with Ergosis Security Systems for updates and pushing for timely patch releases. 7) Considering temporary alternative security controls or manual oversight for critical physical access points until the vulnerability is resolved. These targeted measures go beyond generic advice and address the specific attack vector and affected system.