CVE-2025-8122 is a vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. It affects the Polska Akademia Dostępności (PAD) CMS, a content management system used primarily in Poland. The vulnerability exists in the article positioning functionality, which improperly sanitizes or neutralizes input from authorized users. This flaw allows attackers to perform blind SQL injection attacks, where they can infer database information by observing application behavior without direct data output. The vulnerability impacts all three templates of the CMS: www, bip, and ww+bip. The CVSS 4.0 base score is 8.7, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required beyond authorized user (PR:L), no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H). Availability impact is low (VA:L). The product is end-of-life, and the vendor will not provide patches, leaving users without official remediation. No known exploits are currently reported in the wild, but the ease of exploitation and high impact make it a critical concern. The vulnerability allows attackers with authorized access to craft malicious inputs that manipulate SQL queries, potentially leading to unauthorized data disclosure, data modification, or further compromise of the backend database.

For European organizations, particularly those in Poland and regions where PAD CMS is deployed, this vulnerability poses a significant risk. Exploitation can lead to unauthorized access to sensitive data stored in the CMS database, including potentially personal data protected under GDPR. Integrity of content and data can be compromised, undermining trust and operational reliability. Since the vulnerability requires only authorized user access, insider threats or compromised credentials can be leveraged by attackers to exploit the flaw. The lack of vendor patches due to the product's end-of-life status exacerbates the risk, as organizations cannot rely on official fixes. This could lead to data breaches, regulatory penalties, reputational damage, and operational disruptions. Additionally, public sector entities using the bip template (commonly used for official Polish government websites) may face heightened risks, including targeted attacks aiming to manipulate official information or disrupt services.

Given the absence of vendor patches, European organizations should prioritize migrating away from PAD CMS to supported and actively maintained content management systems. In the interim, implement strict input validation and sanitization on all user inputs related to article positioning, ideally employing parameterized queries or prepared statements at the application or database layer to prevent injection. Employ Web Application Firewalls (WAFs) configured to detect and block SQL injection patterns, especially blind injection attempts. Restrict authorized user privileges to the minimum necessary to reduce the attack surface. Monitor logs and database query patterns for anomalous behavior indicative of injection attempts. Conduct regular security audits and penetration testing focused on injection vulnerabilities. For public sector organizations using the bip template, coordinate with national cybersecurity agencies for guidance and support. Finally, ensure robust credential management and multi-factor authentication to reduce risk from compromised authorized accounts.