CVE-2025-8908 is a SQL Injection vulnerability identified in Shanghai Lingdang Information Technology's Lingdang CRM product, specifically affecting versions up to 8.6.5.4. The vulnerability resides in an unspecified functionality within the file crm/WeiXinApp/yunzhijia/event.php, where the 'openid' parameter is improperly sanitized. This improper handling allows an attacker to inject malicious SQL code remotely without requiring user interaction or elevated privileges beyond low-level privileges (PR:L). The vulnerability enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or disruption of service. The vendor has addressed this issue in version 8.6.5 by implementing parameterized queries and input sanitization to eliminate SQL injection vectors. The CVSS v4.0 base score is 5.3, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public disclosure of the exploit code increases the risk of exploitation if systems remain unpatched.

For European organizations using Lingdang CRM versions up to 8.6.5.4, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive customer relationship management data, including personal and business information, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, affecting business operations and decision-making. Availability impacts, while limited, could disrupt CRM services, affecting sales and customer support workflows. The remote exploitability without user interaction increases the risk of automated attacks or exploitation by low-skilled threat actors. Given the CRM's role in managing client data and communications, exploitation could also facilitate lateral movement within networks or serve as a foothold for further attacks. The medium severity suggests that while the threat is not critical, timely remediation is essential to prevent data breaches and operational disruptions.

European organizations should prioritize upgrading Lingdang CRM to version 8.6.5 or later, where the vulnerability is patched with parameterized queries and input sanitization. Until upgrades are applied, organizations should implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'openid' parameter in the affected endpoint. Conduct thorough input validation and sanitization at the application layer as an additional safeguard. Regularly audit and monitor database logs for suspicious queries or anomalies indicative of injection attempts. Employ network segmentation to limit access to the CRM system and restrict database access to only necessary services and users. Additionally, ensure that least privilege principles are enforced for CRM user accounts to minimize the impact of potential exploitation. Finally, maintain up-to-date backups of CRM data to enable recovery in case of data corruption or loss.