CVE-2025-9410 is a medium-severity SQL Injection vulnerability identified in the lostvip-com ruoyi-go software, specifically affecting versions up to 2.1. The vulnerability resides in the SelectListByPage function within the file modules/system/dao/GenTableDao.go. This function improperly handles the manipulation of the arguments isAsc and orderByColumn, which are used to control sorting behavior in SQL queries. An attacker can exploit this flaw by injecting malicious SQL code through these parameters, leading to unauthorized database queries. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. Although the vendor was notified early, no response or patch has been issued, and a public exploit is available, which raises the likelihood of exploitation. The CVSS 4.0 base score is 5.3, reflecting a medium impact on confidentiality, integrity, and availability, with low complexity and no privileges or user interaction needed. The vulnerability affects the core data access layer of ruoyi-go, a popular open-source Java-based rapid development framework used for building enterprise applications. Exploitation could allow attackers to extract sensitive data, modify database contents, or disrupt application functionality by executing arbitrary SQL commands. Given the lack of vendor response and public exploit availability, the threat is credible and should be addressed promptly.

For European organizations using ruoyi-go versions 2.0 or 2.1, this vulnerability poses a tangible risk to data confidentiality, integrity, and availability. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service conditions impacting critical business applications built on this framework. Since ruoyi-go is used in enterprise environments for rapid application development, compromised systems could expose sensitive customer information, intellectual property, or internal business data. The remote and unauthenticated nature of the exploit increases the risk of automated attacks and widespread exploitation. Additionally, the absence of a vendor patch and public exploit availability heighten the urgency for European entities to assess their exposure. Organizations in regulated sectors such as finance, healthcare, and government may face compliance and reputational risks if exploited. The impact extends beyond data loss to potential operational disruptions and increased incident response costs.

European organizations should immediately audit their software inventory to identify deployments of ruoyi-go versions 2.0 and 2.1. Until an official patch is released, implement the following mitigations: 1) Apply strict input validation and sanitization on the isAsc and orderByColumn parameters at the application or web server level to block malicious payloads. 2) Employ Web Application Firewalls (WAFs) with custom rules targeting SQL injection patterns specific to ruoyi-go's query parameters. 3) Restrict database user permissions to the minimum necessary, preventing unauthorized data modification or extraction even if SQL injection occurs. 4) Monitor logs for unusual query patterns or errors indicative of injection attempts. 5) Consider temporary disabling or restricting access to vulnerable endpoints if feasible. 6) Engage with the ruoyi-go community or maintainers for updates or unofficial patches. 7) Prepare incident response plans to quickly contain and remediate any exploitation. These targeted actions go beyond generic advice by focusing on the specific vulnerable function and parameters involved.