A critical SQL Injection vulnerability, identified as CVE-2025-11253, has been discovered in Aksis Technology Inc.'s Netty ERP software. This flaw allows an unauthenticated attacker to execute arbitrary commands on the backend database, potentially leading to a complete compromise of sensitive corporate data, including theft, modification, or deletion. Organizations using affected versions of Netty ERP are at high risk of a severe data breach and system takeover.

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection. The application fails to properly sanitize user-supplied input before using it to construct SQL queries. An unauthenticated remote attacker can exploit this by crafting malicious input that includes SQL commands, which are then executed by the database, allowing the attacker to bypass authentication, exfiltrate, modify, or delete data, and potentially gain administrative control over the database server.

This vulnerability carries a critical severity rating with a CVSS score of 9.8, indicating a high potential for severe business impact. Successful exploitation could lead to a catastrophic data breach, exposing sensitive customer, financial, and proprietary information. The consequences include significant financial loss, severe reputational damage, operational disruption due to data loss or corruption, and potential regulatory fines for non-compliance with data protection standards. Given that ERP systems are central to business operations, a compromise could halt core business functions.

Immediate Action: Immediately update all instances of Aksis Technology Inc. Netty ERP to version V.1.1000 or a later version provided by the vendor. After patching, it is crucial to monitor for any signs of exploitation attempts that may have occurred prior to the update and review historical access and database logs for indicators of compromise.

Proactive Monitoring: Implement enhanced monitoring of application and database logs, specifically looking for malformed SQL queries, a high rate of database errors, or queries containing SQL keywords like UNION, SELECT, DROP, or comment characters (--, /*). Monitor network traffic between the web application server and the database for unusual patterns or data volumes.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attack patterns. Restrict database user permissions for the application to the absolute minimum required (principle of least privilege) to limit the potential impact of a successful exploit.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a severe and immediate risk to the organization. We strongly recommend that all affected Netty ERP systems be patched immediately. Although this CVE is not currently on the CISA KEV list, its high severity makes it a prime candidate for future inclusion and an attractive target for attackers. Prioritize the deployment of the vendor-supplied update or, if patching is delayed, implement the recommended compensating controls without delay to mitigate the risk of a full-scale data breach.