CVE-2025-9412 is a medium-severity SQL Injection vulnerability affecting the lostvip-com ruoyi-go product, specifically versions 2.0 and 2.1. The vulnerability resides in the SelectListByPage function within the modules/system/dao/DictDataDao.go source file. It arises from improper sanitization or validation of the orderByColumn and isAsc parameters, which are used to construct SQL queries dynamically. An attacker can manipulate these parameters remotely without authentication or user interaction to inject malicious SQL code. This can lead to unauthorized data access, modification, or potentially database compromise. The vulnerability does not require privileges or user interaction, making it easier to exploit remotely. Although the CVSS 4.0 base score is 5.3 (medium), the exploitability is enhanced by the lack of authentication and user interaction requirements. The vendor was notified early but has not responded or issued a patch, and public exploit code is available, increasing the risk of exploitation. The vulnerability impacts the confidentiality, integrity, and availability of the database managed by ruoyi-go, a framework used for rapid development of Java-based enterprise applications, which may be deployed in various organizational environments.

For European organizations using ruoyi-go versions 2.0 or 2.1, this vulnerability poses a significant risk to the confidentiality and integrity of their data. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service through database manipulation. Given ruoyi-go's use in enterprise applications, sensitive business or personal data could be exposed, potentially violating GDPR and other data protection regulations. The lack of vendor response and available public exploits increase the urgency for European entities to assess their exposure. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on ruoyi-go-based applications are particularly at risk. The remote and unauthenticated nature of the exploit means attackers can target vulnerable systems over the internet, increasing the attack surface. This could lead to reputational damage, regulatory penalties, and operational disruptions.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting external access to the affected ruoyi-go applications by implementing network segmentation and firewall rules to limit exposure to trusted internal networks only. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting orderByColumn and isAsc parameters. 3) Conducting thorough input validation and sanitization at the application layer, if source code access is available, to neutralize malicious input. 4) Monitoring application logs and database query logs for anomalous patterns indicative of SQL injection attempts. 5) Planning and prioritizing an upgrade or patch deployment once the vendor releases a fix. 6) Performing regular security assessments and penetration tests focusing on SQL injection vectors. 7) Educating development teams on secure coding practices to prevent similar vulnerabilities in future releases.