CVE-2026-3200 is a remote SQL injection vulnerability identified in the z-9527 admin software versions 1.0 and 2.0. The vulnerability resides in the user management controller file (/server/controller/user.js), specifically in the functions checkName, register, login, getUser, and getUsers. These functions fail to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries, allowing an attacker to inject malicious SQL commands. Because the attack vector is network accessible and requires no authentication or user interaction, an attacker can exploit this vulnerability remotely to manipulate the backend database. Potential consequences include unauthorized data disclosure, data modification, deletion, or even full system compromise depending on the database privileges. The vendor was contacted early but has not issued any patches or advisories, and exploit code is publicly available, increasing the risk of exploitation. The CVSS 4.0 score of 6.9 reflects medium severity, with low attack complexity and no privileges or user interaction required, but limited scope and impact on confidentiality, integrity, and availability. No known active exploitation has been reported to date.

The SQL injection vulnerability in z-9527 admin can lead to significant impacts on affected organizations. Attackers can remotely execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive user data, including credentials and personal information. Data integrity may be compromised through unauthorized modifications or deletions, disrupting business operations. In worst-case scenarios, attackers could escalate privileges or execute commands on the underlying system if the database user has excessive permissions, leading to full system compromise. The lack of vendor response and available exploit code increases the likelihood of exploitation attempts. Organizations relying on z-9527 admin for critical administrative functions face risks of data breaches, service disruption, and reputational damage. The medium severity rating suggests that while the vulnerability is serious, the impact might be limited by the scope of affected functions and database privileges.

Given the absence of an official patch, organizations should immediately implement the following mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the affected endpoints. 2) Restrict network access to the z-9527 admin interface to trusted IP addresses or VPNs to reduce exposure. 3) Conduct thorough input validation and sanitization on all user inputs at the application level, ideally by modifying the source code to use parameterized queries or prepared statements in the affected functions. 4) Monitor logs for suspicious activity indicative of SQL injection attempts, such as unusual query patterns or error messages. 5) Limit database user privileges to the minimum necessary to reduce potential damage from injection attacks. 6) Consider deploying runtime application self-protection (RASP) solutions to detect and block injection attacks in real time. 7) Prepare an incident response plan in case exploitation is detected. Organizations should also engage with the vendor for updates and plan to upgrade or replace the product once a fix is available.