CVE-2026-1121 is a SQL injection vulnerability identified in Yonyou KSOA version 9.0, specifically in the HTTP GET parameter handler for the 'ID' argument within the /worksheet/del_workplan.jsp file. This vulnerability allows an unauthenticated remote attacker to inject arbitrary SQL commands by manipulating the 'ID' parameter, potentially leading to unauthorized data access, data modification, or deletion within the backend database. The vulnerability does not require any user interaction or privileges, making it straightforward to exploit remotely over the network. The vendor was notified early but has not issued any patch or mitigation guidance, and public exploit code has been released, increasing the risk of active exploitation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no required privileges or user interaction, but limited impact on confidentiality, integrity, and availability. The vulnerability affects only version 9.0 of Yonyou KSOA, a widely used enterprise resource planning (ERP) system, primarily deployed in business environments. The lack of patch availability and public exploit presence necessitate immediate defensive measures to prevent exploitation.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive business data, including financial records, employee information, and operational plans managed within Yonyou KSOA. Attackers could manipulate or delete critical data, causing operational disruptions and financial losses. The integrity of business processes relying on the ERP system could be compromised, potentially affecting supply chain management, human resources, and accounting functions. Confidentiality breaches could result in regulatory non-compliance under GDPR, leading to legal penalties and reputational damage. Availability impacts could arise if attackers execute destructive SQL commands or cause database corruption, leading to downtime. The presence of public exploits and lack of vendor response increase the likelihood of targeted attacks, especially against organizations with high-value data or strategic importance in Europe’s industrial and commercial sectors.

1. Implement immediate input validation and sanitization on the 'ID' parameter in /worksheet/del_workplan.jsp to prevent SQL injection, using parameterized queries or prepared statements. 2. Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attempts targeting Yonyou KSOA endpoints. 3. Restrict network access to the affected application, limiting exposure to trusted internal networks or VPN users only. 4. Monitor application logs and network traffic for unusual or suspicious activity related to the vulnerable endpoint. 5. Conduct a thorough security audit of the entire Yonyou KSOA deployment to identify and remediate other potential injection points. 6. Engage with Yonyou or third-party security vendors for potential patches or workarounds and plan for an upgrade once a fix is available. 7. Educate IT and security teams on the risks and detection methods for SQL injection attacks specific to this product. 8. Consider database-level protections such as least privilege access and query execution restrictions to limit damage if exploitation occurs.