CVE-2025-8220 is a critical SQL Injection vulnerability identified in Engeman Web versions up to 12.0.0.1, specifically affecting the Password Recovery Page component located at /Login/RecoveryPass. The vulnerability arises from improper sanitization of the LanguageCombobox argument, which is passed as part of the HTTP Cookie header. An attacker can manipulate this cookie value to inject malicious SQL commands directly into the backend database query. This injection flaw allows remote exploitation without requiring authentication or user interaction, making it highly accessible to attackers. The vulnerability impacts confidentiality, integrity, and availability of the affected system by potentially allowing unauthorized data disclosure, data manipulation, or disruption of service. Although the vendor has been notified, there has been no response or patch released as of the publication date. The CVSS 4.0 base score is 6.9 (medium severity) due to partial impact on confidentiality, integrity, and availability, and the lack of authentication or user interaction required for exploitation. The exploit details have been publicly disclosed, increasing the risk of exploitation by threat actors. The absence of vendor remediation and the exposure of a critical web-facing component make this vulnerability a significant threat to organizations using Engeman Web for password recovery functionality.

For European organizations using Engeman Web, this vulnerability poses a substantial risk. Successful exploitation could lead to unauthorized access to sensitive user credentials or personal data stored in the backend database, violating GDPR and other data protection regulations. Data integrity could be compromised by malicious modification or deletion of records, potentially disrupting business operations. Availability may also be affected if attackers leverage the injection to execute denial-of-service conditions or corrupt critical data. Given the remote and unauthenticated nature of the exploit, attackers can launch attacks at scale, increasing the likelihood of widespread impact. Organizations in sectors with high regulatory scrutiny such as finance, healthcare, and government are particularly vulnerable to reputational damage and legal consequences if exploited. The lack of vendor response and patches further exacerbates the risk, forcing organizations to rely on compensating controls until a fix is available.

Immediate mitigation should focus on network-level and application-layer defenses. Organizations should implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the LanguageCombobox cookie parameter. Monitoring and logging of unusual cookie values and failed login or password recovery attempts should be enhanced to detect exploitation attempts early. Restricting access to the password recovery page to trusted IP ranges or via VPN can reduce exposure. Where possible, disable or temporarily restrict the password recovery functionality until a patch is available. Code-level mitigations include sanitizing and validating all cookie inputs rigorously, employing parameterized queries or prepared statements to prevent SQL injection, and conducting thorough security testing of the affected component. Organizations should also prepare incident response plans specific to SQL injection attacks and ensure backups are current and tested for recovery. Close monitoring of vendor communications for patches or updates is essential.