CVE-2025-9255 is a high-severity SQL Injection vulnerability identified in the WebITR product developed by Uniong. The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89), allowing unauthenticated remote attackers to inject arbitrary SQL commands. This flaw enables attackers to read sensitive database contents without requiring any authentication or user interaction. The vulnerability affects version 0 of WebITR, with no patches currently available. The CVSS 4.0 base score is 8.7, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. The vulnerability is exploitable remotely over the network, making it a critical risk for exposed systems. Although no known exploits are currently reported in the wild, the ease of exploitation and the potential for data disclosure make this a significant threat. The lack of authentication and user interaction requirements means that any exposed WebITR instance is vulnerable to immediate compromise by attackers capable of crafting malicious SQL payloads. The vulnerability could lead to unauthorized disclosure of sensitive data, including user credentials, business information, or other confidential records stored in the backend database. This could further facilitate lateral movement, privilege escalation, or targeted attacks within affected organizations.

For European organizations using WebITR, this vulnerability poses a substantial risk to the confidentiality of their data. Since the vulnerability allows unauthenticated remote attackers to extract database contents, organizations could suffer significant data breaches, leading to regulatory penalties under GDPR for loss of personal data. The exposure of sensitive business or customer information could damage reputation and trust. Additionally, attackers could leverage the disclosed data to conduct further attacks, including identity theft, fraud, or corporate espionage. The absence of patches and the high severity score increase the urgency for European entities to assess their exposure. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly vulnerable to the consequences of such data leaks. Moreover, if WebITR is integrated into critical infrastructure or operational systems, the breach could indirectly impact service availability or operational integrity through subsequent attacks.

Given the lack of official patches, European organizations should immediately conduct a comprehensive inventory to identify all instances of WebITR in their environment. Network-level protections such as Web Application Firewalls (WAFs) should be deployed or updated with custom rules to detect and block SQL injection attempts targeting WebITR endpoints. Input validation and parameterized queries should be enforced if organizations have the capability to modify the application code or deploy compensating controls. Restricting network access to WebITR interfaces through segmentation and firewall rules can reduce exposure to untrusted networks. Continuous monitoring and logging of database queries and application logs should be implemented to detect suspicious activities indicative of exploitation attempts. Organizations should also prepare incident response plans specific to SQL injection attacks and consider engaging with Uniong for updates or patches. Finally, regular security assessments and penetration testing focusing on injection flaws should be scheduled to proactively identify and remediate similar vulnerabilities.