CVE-2025-8161 is a medium-severity SQL Injection vulnerability affecting deerwms deer-wms-2 versions 3.0 through 3.3. The vulnerability exists in an unspecified functionality within the /system/role/export endpoint, where the argument params[dataScope] is improperly sanitized, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, indicating low privileges but not none), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability does not require special conditions such as scope change or security controls bypass. Although the CVSS score is 5.3 (medium), the presence of a publicly disclosed exploit increases the risk of exploitation. The vulnerability allows attackers to manipulate database queries, potentially leading to unauthorized data access, data modification, or disruption of service. The lack of a patch link suggests that a fix may not yet be available, increasing the urgency for mitigation. The affected product, deer-wms-2, is a warehouse management system, which typically handles inventory, logistics, and supply chain data, making it a critical component in operational technology environments.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive inventory and logistics data, disruption of warehouse operations, and potential data integrity issues. This could result in financial losses, operational downtime, and damage to reputation. Given the critical role of warehouse management systems in supply chains, especially in manufacturing, retail, and distribution sectors prevalent across Europe, the impact could cascade to affect delivery schedules and customer satisfaction. Additionally, compromised data could expose business-sensitive information or personal data, raising compliance concerns under GDPR. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, particularly targeting organizations that have not yet updated or mitigated the vulnerability.

Organizations using deer-wms-2 versions 3.0 to 3.3 should immediately audit their systems for exposure of the /system/role/export endpoint and restrict access to trusted networks via firewall rules or VPNs. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the params[dataScope] parameter. Monitor logs for unusual query patterns or repeated access attempts to this endpoint. Until an official patch is released, consider disabling or restricting the vulnerable functionality if feasible. Conduct a thorough review of database permissions to limit the impact of potential injection attacks. Additionally, apply network segmentation to isolate warehouse management systems from broader corporate networks. Regularly update threat intelligence feeds and subscribe to vendor advisories for patch availability. Finally, perform penetration testing focused on injection vectors to validate the effectiveness of mitigations.