CVE-2025-41371 Overview
CVE-2025-41371 is a SQL injection vulnerability [CWE-89] in Gandia Integra Total by TESI. The flaw affects versions 2.1.2217.3 through 4.4.2236.1. An authenticated attacker can inject malicious SQL through the idestudio parameter in /encuestas/integraweb_v4/integra/html/view/acceso.php. Successful exploitation allows attackers to read, create, update, and delete database content.
The vulnerability is network-exploitable with low attack complexity. It impacts confidentiality, integrity, and availability of the underlying survey database. INCIBE-CERT published an advisory documenting this and related issues in the product.
Critical Impact
An authenticated attacker can fully compromise the survey database by manipulating the idestudio parameter, enabling data theft and destruction.
Affected Products
- Gandia Integra Total version 2.1.2217.3
- Gandia Integra Total versions between 2.1.2217.3 and 4.4.2236.1
- Gandia Integra Total version 4.4.2236.1
Discovery Timeline
- 2025-08-01 - CVE-2025-41371 published to NVD
- 2025-10-08 - Last updated in NVD database
Technical Details for CVE-2025-41371
Vulnerability Analysis
The vulnerability resides in acceso.php, located at /encuestas/integraweb_v4/integra/html/view/. This file processes the idestudio request parameter without proper sanitization or parameterization. The unvalidated input flows directly into a SQL query executed against the application database.
Because the injection point sits within an authenticated workflow, an attacker must hold valid application credentials. Once authenticated, the attacker can manipulate query logic to perform arbitrary SELECT, INSERT, UPDATE, and DELETE operations. The classification corresponds to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Root Cause
The root cause is improper input neutralization. The application concatenates the idestudio parameter into a SQL statement instead of using parameterized queries or prepared statements. No allowlist validation or type enforcement is applied before the parameter reaches the database layer.
Attack Vector
The attack vector is network-based and requires authentication but no user interaction. An attacker sends a crafted HTTP request to the vulnerable endpoint with a malicious payload in the idestudio parameter. The payload extends or replaces the intended SQL statement, allowing direct database manipulation.
No public proof-of-concept code has been released. The vulnerability mechanism is described in prose because no verified exploit code is available. See the INCIBE Security Notice for additional technical context.
Detection Methods for CVE-2025-41371
Indicators of Compromise
- HTTP requests to /encuestas/integraweb_v4/integra/html/view/acceso.php containing SQL metacharacters such as ', --, UNION, SELECT, or ; in the idestudio parameter.
- Database audit log entries showing unexpected DDL or DML operations originating from the application service account.
- Anomalous response sizes or HTTP 500 errors from acceso.php indicating injection probing.
Detection Strategies
- Inspect web server access logs for non-numeric values in the idestudio query string parameter.
- Deploy a web application firewall rule that blocks SQL injection patterns targeting the acceso.php endpoint.
- Correlate authenticated user sessions with database query patterns to identify abnormal query volumes or destructive statements.
Monitoring Recommendations
- Forward web server and database logs to a centralized SIEM for correlation and alerting.
- Enable database query logging on the Gandia Integra Total backend to capture full SQL statements.
- Monitor for unauthorized schema changes, new database accounts, or unexpected data exports.
How to Mitigate CVE-2025-41371
Immediate Actions Required
- Restrict network access to the Gandia Integra Total application to trusted internal users and VPN clients.
- Rotate credentials for all Gandia Integra Total accounts and review audit logs for suspicious authenticated activity.
- Apply least-privilege permissions to the database account used by the application, removing rights to drop or alter schemas where feasible.
Patch Information
TESI has not published a public patch identifier in the referenced advisory. Contact TESI directly and consult the INCIBE Security Notice for vendor remediation guidance and fixed version availability.
Workarounds
- Place a web application firewall in front of the application and block requests containing SQL metacharacters in the idestudio parameter.
- Enforce strict input validation at a reverse proxy by allowing only numeric values for idestudio.
- Disable or restrict access to /encuestas/integraweb_v4/integra/html/view/acceso.php until a vendor fix is applied.
# Example NGINX rule restricting idestudio to numeric values
location /encuestas/integraweb_v4/integra/html/view/acceso.php {
if ($arg_idestudio !~ "^[0-9]+$") {
return 403;
}
proxy_pass http://gandia_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
