Ciser System SQL Injection Vulnerability in Authentication Module

A critical SQL injection vulnerability has been identified in the authentication module of Ciser System SL firmware, specifically in versions 3.0 through 5.1. This vulnerability allows an unauthenticated, remote attacker to send specially crafted SQL queries through the login interface. The flaw arises from inadequate input validation, enabling a complete compromise of the system's configuration data. While the vulnerability does not affect the availability of the service, it may lead to a limited exposure of sensitive information regarding subsequent or interconnected systems.

Impact

Exploitation of this vulnerability allows for a total compromise of the system's configuration data. The breach may also result in a limited exposure of sensitive information related to subsequent or interconnected systems.

Remediation

Users are advised to update to Ciser System SL firmware version 5.3 or higher, which addresses the vulnerability by implementing improved input validation and parameterized queries. If an immediate update is not possible, network-level controls should be applied to restrict access to the management or login panel, isolating the interface within a dedicated management VLAN accessible only through a secure corporate VPN.