CVE-2025-8121 is a vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection, affecting the Polska Akademia Dostępności PAD CMS. The vulnerability specifically exists in the article positioning functionality, which processes input from authorized users without proper sanitization or neutralization of special characters. This allows attackers to perform blind SQL Injection attacks, where they can infer database information by sending crafted queries and analyzing responses, even without direct feedback from the database. The vulnerability affects all three templates of the CMS: www, bip, and ww+bip. The product is end-of-life, meaning the vendor will not provide patches or updates to remediate this issue. The CVSS v4.0 base score is 8.7, indicating a high severity due to network exploitability (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and requiring privileges (PR:L) but no authentication bypass. The impact on confidentiality and integrity is high, while availability impact is low. No known exploits are currently reported in the wild, but the lack of vendor support and the critical nature of SQL Injection vulnerabilities make this a significant threat. Attackers exploiting this vulnerability could extract sensitive data, modify database contents, or escalate privileges within the CMS environment.

For European organizations using PAD CMS, particularly those in Poland where the product originates and is likely most deployed, this vulnerability poses a serious risk. Exploitation could lead to unauthorized disclosure of sensitive information, including personal data, internal documents, or administrative credentials, violating GDPR and other data protection regulations. Integrity of website content and backend data could be compromised, potentially damaging organizational reputation and operational trust. Since the CMS is used in public administration contexts (implied by bip template usage), attacks could disrupt government transparency portals or public information dissemination. The end-of-life status means organizations cannot rely on vendor patches, increasing exposure duration and risk. Attackers could leverage this vulnerability to pivot into internal networks or conduct further attacks, impacting availability indirectly through data corruption or administrative lockout. The high CVSS score reflects the ease of remote exploitation and significant impact on confidentiality and integrity.

Given the product is end-of-life and no patches are forthcoming, European organizations should prioritize migrating away from PAD CMS to supported and actively maintained content management systems. In the interim, organizations should implement strict input validation and sanitization controls at the application or web server level to block malicious SQL payloads targeting the article positioning functionality. Deploying a Web Application Firewall (WAF) with custom rules to detect and block SQL Injection attempts can provide an additional protective layer. Restricting privileges of authorized users who can access the vulnerable functionality reduces the attack surface. Regular security audits and database activity monitoring should be conducted to detect anomalous queries indicative of exploitation attempts. Backup and recovery plans must be updated to ensure rapid restoration in case of data integrity compromise. Finally, organizations should consider network segmentation to isolate the CMS environment from critical internal systems.