A critical SQL injection vulnerability has been identified in the RuoYi framework, affecting versions 4.7.9 and earlier. This flaw allows a remote, unauthenticated attacker to execute arbitrary code and potentially take full control of the affected application and its underlying database. Due to its maximum CVSS score of 10.0, this vulnerability poses an extreme risk of data theft, system compromise, and service disruption.

The vulnerability exists within the createTable function of the SqlUtil.java component. The function fails to properly sanitize user-supplied input before incorporating it into an SQL query. A remote attacker can send a specially crafted request to an endpoint that utilizes this function, injecting malicious SQL commands that will be executed by the back-end database, leading to arbitrary code execution.

This vulnerability is rated as critical with a CVSS score of 10.0, representing the highest possible risk. Successful exploitation could lead to a complete compromise of the application's database, allowing an attacker to read, modify, or delete any data, including sensitive customer information, financial records, and intellectual property. The ability to execute arbitrary code could also allow an attacker to pivot from the database to the underlying server, establishing a persistent foothold in the network, disrupting business operations, and causing significant reputational and financial damage.

Immediate Action: Organizations must immediately update all instances of RuoYi to the latest version that addresses this vulnerability. After patching, it is crucial to review access and database logs for any suspicious activity or indicators of compromise that may have occurred prior to the update.

Proactive Monitoring:

• Web/Application Logs: Scrutinize logs for unusual or malformed requests to application endpoints, particularly those related to database table creation or modification.
• Database Logs: Enable and monitor database query logs for anomalous SQL statements, such as stacked queries, UNION statements, or commands intended to interact with the operating system (e.g., xp_cmdshell).
• Network Traffic: Monitor for unusual outbound connections from the database server, which could indicate data exfiltration or a command-and-control channel.

Compensating Controls: If immediate patching is not feasible, the following measures can help reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset configured to block SQL injection attack patterns.
• Principle of Least Privilege: Ensure the database account used by the RuoYi application has the minimum permissions necessary for its operation, restricting its ability to perform high-privilege actions.
• Network Segmentation: Isolate the application and database servers from the rest of the corporate network to contain the impact of a potential breach.

Public Exploit Available: false

Given the critical severity (CVSS 10.0) of this vulnerability, immediate patching is the highest priority. This flaw allows for a full, remote system compromise with no user interaction required. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high potential for widespread impact makes it a prime candidate for future inclusion. All organizations using affected versions of RuoYi must treat this as an emergency and apply the necessary updates without delay to prevent a catastrophic security breach.