CVE-2026-1177 identifies a SQL injection vulnerability in Yonyou KSOA version 9.0, specifically within the /kmf/save_folder.jsp component that handles HTTP GET requests. The vulnerability is triggered by manipulating the 'folderid' parameter, which is not properly sanitized before being incorporated into SQL queries. This flaw allows remote attackers to inject malicious SQL code, potentially enabling unauthorized data access, modification, or deletion. The attack requires no authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Despite the medium severity rating, the availability of a public exploit increases the urgency for remediation. The vendor, Yonyou, has not responded to disclosure requests, and no official patches have been released, leaving users exposed. Yonyou KSOA is an enterprise software product widely used in China and other Asian markets for office automation and business process management, making this vulnerability particularly relevant to organizations relying on this platform. The lack of vendor response and public exploit availability heighten the risk of exploitation by threat actors aiming to compromise sensitive business data or disrupt operations.

The SQL injection vulnerability in Yonyou KSOA 9.0 can have significant impacts on affected organizations. Exploitation could lead to unauthorized disclosure of sensitive business data, unauthorized modification or deletion of records, and potential disruption of business processes managed through the KSOA platform. Since the vulnerability requires no authentication and can be exploited remotely, attackers could leverage it to gain foothold within enterprise environments, potentially escalating attacks or moving laterally. The partial impact on confidentiality, integrity, and availability means that while the entire system may not be compromised, critical data and functions could be affected, leading to operational downtime, reputational damage, and regulatory compliance issues. The absence of a vendor patch and the existence of public exploits increase the likelihood of active exploitation attempts, especially targeting organizations with high-value data or strategic importance. This threat is particularly concerning for enterprises in sectors such as finance, government, and manufacturing that rely heavily on Yonyou KSOA for internal workflows.

Given the lack of an official patch from Yonyou, organizations should implement immediate compensating controls. First, apply strict input validation and sanitization at the web application firewall (WAF) or reverse proxy level to detect and block malicious SQL injection payloads targeting the 'folderid' parameter in /kmf/save_folder.jsp requests. Employ anomaly detection to monitor unusual query patterns or spikes in traffic to this endpoint. Restrict network access to the KSOA application to trusted IP ranges and enforce strong segmentation to limit exposure. Conduct thorough code reviews and consider temporary code-level fixes or parameterized queries if source code access is available. Regularly audit logs for signs of exploitation attempts and prepare incident response plans. Additionally, organizations should engage with Yonyou support channels to demand timely patches and updates. Finally, maintain up-to-date backups of critical data to enable recovery in case of data integrity compromise.