External risk intelligence

MY ERP SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-4738

A critical SQL injection vulnerability exists in Yirmibes Software MY ERP, enabling attackers to manipulate database commands. This could result in unauthorized access to or modification of sensitive business data. This threat is relevant because MY ERP is enterprise resource planning software, often network-accessible

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2025-4738

MY ERP is an enterprise resource planning software. Such applications are commonly deployed as web-based platforms accessible via the internet or wide-area networks to facilitate remote access for employees, partners, or vendors, placing the SQL injection vulnerability surface in a typically internet-reachable or edge-exposed position.

PCI scan relevance

PCI Relevance for CVE-2025-4738

Yes

CVE-2025-4738 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability in MY ERP is PCI scan-relevant as it can lead to automatic failure in scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Yirmibes Software MY ERP could allow attackers to inject malicious SQL commands, potentially leading to unauthorized access or manipulation of sensitive company data. This type of vulnerability, known as SQL injection, is a common but serious threat to business applications.

  • SQL injection allows unauthorized data access.
  • It impacts critical business resource planning software.
  • Confirm relevance and exposure of MY ERP systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted input over the network to the MY ERP system. This malicious input targets a feature that improperly processes user-supplied data, allowing the attacker to manipulate database queries. Successful exploitation could lead to unauthorized access to sensitive information, modification of data, or complete disruption of the application.

  • No authentication required.
  • SQL injection through crafted input.
  • Full system compromise possible.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability in MY ERP could allow an attacker to interfere with the queries an application makes to its database. This could potentially lead to unauthorized access, modification, or deletion of sensitive business data stored within the ERP system. The impact depends on the specific configuration and the database's contents.

  • System data and business logic at risk.
  • Attacker injects malicious SQL commands.
  • Unauthorized data access or modification.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this SQL injection vulnerability in MY ERP. The first practical step involves identifying all deployments of the affected software, confirming their network reachability and business criticality, and then locating the accountable owner for each instance to plan remediation based on assessed risk.

  • Identify affected MY ERP instances.
  • Verify network exposure and criticality.
  • Plan risk-based remediation.

Frequently asked questions

What is Yirmibes Software MY ERP?

MY ERP is an enterprise resource planning (ERP) software used by businesses to manage various operations like accounting, human resources, and supply chain. It helps organizations streamline processes and manage resources efficiently.

What is CVE-2025-4738 SQL Injection?

CVE-2025-4738 is a critical SQL Injection vulnerability in MY ERP. This weakness, also known as CWE-89, allows an attacker to insert malicious SQL code into commands that an application sends to its database. This can lead to unauthorized access, modification, or deletion of sensitive data.

How can an attacker exploit the MY ERP vulnerability?

An attacker can exploit this vulnerability by sending specially crafted network input to the MY ERP system. This input targets a flaw where the software improperly handles data, allowing the attacker to manipulate database queries without needing any authentication.

Who should be concerned about the MY ERP vulnerability?

Organizations using MY ERP should be concerned, especially if their instances are internet-facing. The Halo Surface Signal indicates that ERP systems are often web-based and accessible remotely, increasing the potential exposure of this vulnerability.

What is the first step to address the MY ERP SQL Injection flaw?

The first step is to identify all deployed instances of MY ERP software. It's important to determine their network accessibility and their business criticality to understand the risk and plan for remediation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified