Critical SQL injection vulnerabilities in Databank Accreditation Software allow attackers to bypass authorization and gain unauthorized access to sensitive database records.

The software suffers from an Authorization Bypass through User-Controlled SQL Primary Keys, which facilitates SQL Injection. An attacker can manipulate input parameters related to primary keys to execute arbitrary SQL commands, potentially bypassing security checks.

This vulnerability poses a severe risk to data integrity and confidentiality, as evidenced by the CVSS score of 9.8. Attackers could extract the entire accreditation database, modify records to grant fraudulent credentials, or delete critical organizational data. The vendor's failure to respond to initial disclosure attempts increases the risk, as official patches may be delayed.

Immediate Action: Contact the vendor immediately for a private patch or update to the latest version, and restrict network access to the software to trusted IP addresses only.

Proactive Monitoring: Enable deep packet inspection on database traffic and monitor for common SQL injection patterns such as unexpected "OR 1=1" or "UNION SELECT" statements.

Compensating Controls: Implement a database activity monitoring (DAM) solution and ensure the application runs with the least privilege necessary to prevent broad database compromise.

Public Exploit Available: No

Given the critical CVSS score and the nature of SQL injection in an accreditation platform, the potential for significant reputational and legal damage is high. Organizations should treat this as a zero-day-like scenario due to the lack of vendor communication and implement strict network segmentation to protect the vulnerable asset.