CVE-2025-8121 is a high-severity SQL Injection vulnerability (CWE-89) found in the Polska Akademia Dostępności (PAD) CMS, specifically affecting its article positioning functionality across all three templates: www, bip, and ww+bip. The vulnerability arises due to improper neutralization of special elements in SQL commands, allowing an authorized user to perform Blind SQL Injection attacks. This means that malicious input is not properly sanitized before being incorporated into SQL queries, enabling attackers to infer database information by observing application behavior or response timing, even without direct query results. The vulnerability requires the attacker to have some level of privileges (PR:L - privileges required) but does not require user interaction (UI:N). The CVSS 4.0 base score is 8.7, indicating a high severity with network attack vector (AV:N), low attack complexity (AC:L), no authentication required beyond privileges (AT:N), and high impact on confidentiality and integrity, with limited impact on availability. Notably, the PAD CMS product is End-Of-Life, and the vendor will not issue patches for this vulnerability, increasing the risk for organizations still using this CMS. No known exploits are currently reported in the wild, but the lack of patch availability and the high severity score suggest that exploitation could lead to significant data breaches or unauthorized data manipulation.

For European organizations using PAD CMS, especially those managing public-facing websites or sensitive content, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized disclosure of sensitive data, including user information, internal content, or configuration details, compromising confidentiality. Integrity of the database can also be affected, allowing attackers to alter content or data records, potentially damaging organizational reputation and trust. Given the CMS's use in public administration or accessibility-focused institutions (implied by the vendor name), data integrity and confidentiality are critical. The inability to patch the vulnerability due to the product's End-Of-Life status exacerbates the risk, potentially leading to prolonged exposure. Additionally, attackers exploiting this vulnerability could use it as a foothold for further network penetration or lateral movement within the organization's infrastructure. The Blind SQL Injection nature means that data exfiltration might be slower but stealthier, complicating detection efforts.

Since no patches are available, European organizations should consider immediate compensating controls. First, restrict access to the article positioning functionality to only the minimum necessary authorized users and monitor their activities closely. Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns, particularly targeting the vulnerable CMS endpoints. Conduct thorough input validation and sanitization at the application or proxy level if possible, to neutralize malicious input before it reaches the database. Organizations should also consider migrating away from PAD CMS to a supported and actively maintained content management system to eliminate exposure. Regularly audit and monitor database logs and application logs for unusual query patterns or anomalies indicative of SQL Injection attempts. Network segmentation can limit the impact if exploitation occurs. Finally, educate authorized users about the risks and signs of compromise to enhance early detection.