An authenticated SQL injection vulnerability in Sunnet CTMS permits attackers to compromise, manipulate, or exfiltrate sensitive data from the underlying database.

The application fails to properly sanitize user-supplied input, resulting in a SQL injection flaw. This vulnerability requires an authenticated attacker to reach the vulnerable interface to execute malicious queries.

The CVSS score of 8.8 reflects the high risk of data breach and unauthorized database modification. Successful exploitation could lead to full database compromise, potentially exposing sensitive organizational or user information, which carries severe reputational and compliance risks.

Immediate Action: Apply vendor-supplied patches immediately to remediate the vulnerable input handling in the CTMS platform.

Proactive Monitoring: Review database query logs for unusual syntax, such as union-based or blind SQL injection patterns, and monitor for unauthorized access to sensitive tables.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection payloads targeting your specific application environment.

Public Exploit Available: false

Organizations utilizing Sunnet CTMS must treat this as a high-priority item. In addition to patching, it is recommended to conduct a thorough audit of current database access privileges to ensure the principle of least privilege is strictly enforced, limiting the impact of any potential breach.