CVE-2025-9391 is a SQL Injection vulnerability identified in the Bjskzy Zhiyou ERP software, specifically affecting version 11.0. The vulnerability resides in the getFieldValue function of the com.artery.workflow.ServiceImpl component. This function improperly handles the 'sql' argument, allowing an attacker to manipulate SQL queries executed by the application. Because the vulnerability can be exploited remotely without requiring user interaction or authentication, it presents a significant risk. The SQL Injection flaw enables attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or even full system compromise depending on the database permissions. The vendor was contacted but did not respond or provide a patch, and while no known exploits are currently observed in the wild, a public exploit has been made available, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the vulnerability's ease of exploitation (low complexity), lack of required authentication, and moderate impact on confidentiality, integrity, and availability. However, the vulnerability's impact is limited by the requirement of some privileges (PR:L) and the partial impact on confidentiality, integrity, and availability (low to medium).

For European organizations using Bjskzy Zhiyou ERP version 11.0, this vulnerability poses a moderate risk. ERP systems typically contain sensitive business data, including financial records, personnel information, and operational workflows. Exploitation could lead to unauthorized data disclosure, data tampering, or disruption of business processes. Given the remote exploitability without user interaction, attackers could leverage this vulnerability to gain footholds in corporate networks, potentially escalating privileges or moving laterally. The lack of vendor response and absence of patches increases exposure time. Organizations in sectors with high regulatory requirements for data protection (e.g., finance, healthcare, manufacturing) may face compliance risks if data breaches occur. Additionally, disruption of ERP operations could impact supply chain and business continuity. Although no active exploitation is reported, the availability of a public exploit increases the likelihood of future attacks, especially targeting organizations with weak perimeter defenses or insufficient monitoring.

1. Immediate mitigation should include restricting network access to the ERP system, limiting it to trusted internal IP addresses or VPN users only. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the getFieldValue function or related endpoints. 3. Conduct thorough input validation and sanitization on all user-supplied inputs, especially those that influence SQL queries. 4. Monitor logs for unusual database query patterns or errors indicative of injection attempts. 5. If feasible, isolate the ERP database with strict least-privilege access controls to minimize damage from potential injection attacks. 6. Engage with the vendor or community to seek patches or updates; if unavailable, consider code review or custom patching to fix the vulnerable function. 7. Prepare incident response plans specifically addressing potential data breaches or system compromises stemming from this vulnerability. 8. Educate internal teams about the risk and signs of exploitation to improve detection and response times.