CVE-2026-1120 identifies a SQL injection vulnerability in Yonyou KSOA version 9.0, located in the /worksheet/del_work.jsp component. The vulnerability arises from improper sanitization of the 'ID' parameter in an HTTP GET request, allowing an attacker to inject arbitrary SQL commands. This injection flaw can be exploited remotely without authentication or user interaction, making it accessible to any attacker with network access to the affected service. Successful exploitation could lead to unauthorized reading, modification, or deletion of database records, potentially compromising sensitive business data managed by the ERP system. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the ease of exploitation (low attack complexity, no privileges required) but limited impact scope (partial confidentiality, integrity, and availability impacts). The vendor Yonyou has not issued a patch or responded to the disclosure, and no known exploits are currently in the wild, though public disclosure increases the risk of future exploitation. The vulnerability affects a critical business application component, making it a significant concern for organizations relying on Yonyou KSOA for enterprise resource planning and workflow management.

For European organizations, this vulnerability poses a risk of unauthorized data exposure and manipulation within the Yonyou KSOA ERP system, potentially disrupting business operations and compromising sensitive corporate information. The ability to execute SQL injection remotely without authentication increases the threat level, especially for organizations with internet-facing KSOA instances or insufficient network segmentation. Data integrity issues could affect financial records, project management data, or other critical workflows managed by the system. Confidentiality breaches could expose intellectual property or personal data, raising compliance concerns under GDPR. Availability impacts, while limited, could still disrupt business continuity if database integrity is compromised. The lack of vendor response and patch availability heightens the risk, necessitating immediate compensating controls. European entities in manufacturing, finance, and government sectors using Yonyou products are particularly vulnerable due to the strategic importance of ERP systems in these industries.

1. Implement strict input validation and parameterized queries on all user inputs, especially the 'ID' parameter in /worksheet/del_work.jsp, to prevent SQL injection. 2. Deploy Web Application Firewalls (WAFs) with updated rules to detect and block SQL injection attempts targeting Yonyou KSOA endpoints. 3. Restrict network access to the KSOA application, limiting exposure to trusted internal networks and VPNs only. 4. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. 5. Conduct regular security assessments and penetration testing focused on web application vulnerabilities. 6. Engage with Yonyou support channels to request official patches or guidance and track any future updates. 7. If feasible, isolate the affected application components in segmented network zones to minimize lateral movement risk. 8. Educate IT and security teams about this specific vulnerability and ensure incident response plans include SQL injection scenarios. 9. Consider deploying runtime application self-protection (RASP) tools to detect and block injection attacks in real time. 10. Prepare for potential incident response by backing up critical data and verifying recovery procedures.