CVE-2025-41372
📋 TL;DR
An authenticated SQL injection vulnerability in Gandia Integra Total of TESI allows attackers to manipulate database operations through the 'idestudio' parameter. This affects organizations using versions 2.1.2217.3 through 4.4.2236.1 of the software, potentially compromising sensitive data integrity and confidentiality.
💻 Affected Systems
- Gandia Integra Total of TESI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data destruction, privilege escalation, and potential lateral movement to other systems.
Likely Case
Unauthorized access to sensitive survey/interview data, manipulation of business-critical information, and potential data corruption.
If Mitigated
Limited impact due to proper input validation, parameterized queries, and database permission restrictions.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection is a well-understood attack vector with many available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.4.2236.1
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-gandia-integra-total-tesi
Restart Required: Yes
Instructions:
1. Contact TESI vendor for patched version. 2. Backup current installation and data. 3. Apply vendor-provided patch or upgrade to version after 4.4.2236.1. 4. Restart application services. 5. Verify fix implementation.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize 'idestudio' parameter input
Implement parameterized queries or prepared statements in PHP code
Add input validation: if(!is_numeric($_GET['idestudio'])) { die('Invalid input'); }
Web Application Firewall Rules
allBlock SQL injection patterns targeting the vulnerable endpoint
WAF rule: deny requests to /encuestas/integraweb*/integra/html/view/informe_campo_entrevistas.php with SQL injection patterns in parameters
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vulnerable endpoint to authorized users only
- Enable detailed logging and monitoring for SQL injection attempts on the affected endpoint
🔍 How to Verify
Check if Vulnerable:
Test the 'idestudio' parameter with SQL injection payloads (e.g., ' OR '1'='1) and observe database behaviorCheck Version:
Check application version in admin interface or configuration filesVerify Fix Applied:
Attempt SQL injection tests after patch - should return error messages or no data manipulation📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from web application
- Multiple failed login attempts followed by SQL injection patterns
- Unexpected database error messages in application logs
Network Indicators:
- HTTP requests to vulnerable endpoint with SQL keywords in parameters
- Unusual database traffic patterns from web server
SIEM Query:
source="web_logs" AND uri="/encuestas/integraweb*/integra/html/view/informe_campo_entrevistas.php" AND (param="idestudio" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;|')")