CVE-2025-41370 Overview
CVE-2025-41370 is a SQL injection vulnerability in Gandia Integra Total, a survey management platform developed by TESI. The flaw exists in the idestudio parameter of the /encuestas/integraweb/html/view/acceso.php endpoint. Authenticated attackers can inject arbitrary SQL statements to read, create, update, or delete database records. The vulnerability affects versions 2.1.2217.3 through 4.4.2236.1 and is classified under [CWE-89]. Compromise of the backend database can lead to full exposure of survey data, credentials, and operational metadata.
Critical Impact
Authenticated attackers can fully manipulate backend databases through unsanitized input to the idestudio parameter, resulting in confidentiality, integrity, and availability loss.
Affected Products
- Gandia Integra Total version 2.1.2217.3
- Gandia Integra Total versions between 2.1.2217.3 and 4.4.2236.1
- Gandia Integra Total version 4.4.2236.1
Discovery Timeline
- 2025-08-01 - CVE-2025-41370 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-41370
Vulnerability Analysis
The vulnerability resides in the acceso.php script under /encuestas/integraweb/html/view/. The script accepts the idestudio HTTP parameter and concatenates its value into a SQL query without parameterization or input validation. An attacker authenticated to the application can supply crafted SQL syntax through this parameter to alter the query structure.
Because the injected statements run with the privileges of the application's database account, the attacker can execute arbitrary SELECT, INSERT, UPDATE, and DELETE operations. Depending on the underlying database engine and account permissions, this can extend to schema modification and stacked queries. The result is a complete loss of confidentiality, integrity, and availability of the survey datastore.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The acceso.php handler does not use parameterized queries or prepared statements when processing the idestudio request parameter. User-controlled input is treated as trusted SQL fragments instead of data, violating the secure-by-default boundary between code and input.
Attack Vector
Exploitation requires network access to the web application and valid authenticated credentials. The attacker issues an HTTP request to /encuestas/integraweb/html/view/acceso.php with a malicious payload in the idestudio parameter. No user interaction is required and attack complexity is low. The vulnerability has not been observed in active exploitation campaigns and there is no public proof-of-concept exploit at this time.
The vulnerability is exploited by replacing the expected numeric idestudio value with SQL operators such as UNION SELECT, boolean conditionals, or time-based blind injection payloads. See the INCIBE Security Notice for vendor-coordinated details.
Detection Methods for CVE-2025-41370
Indicators of Compromise
- HTTP requests to /encuestas/integraweb/html/view/acceso.php containing SQL keywords such as UNION, SELECT, SLEEP, BENCHMARK, or -- in the idestudio parameter.
- Unusual database error messages returned to clients accessing the acceso.php endpoint.
- Unexpected INSERT, UPDATE, or DELETE activity on Gandia Integra Total survey tables from the application service account.
Detection Strategies
- Inspect web server access logs for non-numeric or encoded values in the idestudio query parameter.
- Deploy a web application firewall (WAF) rule set with SQL injection signatures targeting the acceso.php endpoint.
- Correlate authenticated session activity with anomalous database query volume or query duration spikes.
Monitoring Recommendations
- Enable verbose query logging on the database backing Gandia Integra Total and forward logs to a centralized analytics platform.
- Alert on database errors originating from the acceso.php handler, which often signal injection probing.
- Track authentication events for accounts that issue requests with abnormal idestudio payloads to identify compromised credentials.
How to Mitigate CVE-2025-41370
Immediate Actions Required
- Upgrade Gandia Integra Total to a release beyond version 4.4.2236.1 once a fixed build is provided by TESI.
- Restrict network access to the Gandia Integra Total application to trusted networks or VPN users only.
- Rotate credentials and review audit logs for any account that has accessed acceso.php during the exposure window.
Patch Information
Refer to the INCIBE Security Notice for vendor coordination details and fixed version availability. Apply the vendor-supplied update from TESI as soon as it is released and verify the deployed version is greater than 4.4.2236.1.
Workarounds
- Deploy a WAF rule to block or sanitize non-integer values submitted to the idestudio parameter on /encuestas/integraweb/html/view/acceso.php.
- Apply the principle of least privilege to the database account used by Gandia Integra Total, removing DROP, ALTER, and write permissions where the workflow permits.
- Disable or firewall the acceso.php endpoint if it is not required for business operations until a patch is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
