Overview
CVE-2025-4738 is a high-severity cybersecurity vulnerability that resides within Yirmibes Software’s MY ERP product. This vulnerability, which pertains to the improper neutralization of special elements used in SQL commands (also known as SQL Injection), provides a potential attacker with the ability to manipulate or control the database of the affected system. This is a critical issue because ERP (Enterprise Resource Planning) systems often contain sensitive business data, and an exploit could lead to a severe compromise of system integrity and data confidentiality.
Vulnerability Summary
CVE ID: CVE-2025-4738
Severity: Critical 9.8 (CVSS)
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Impact: Potential system compromise or data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
Yirmibes Software MY ERP | Before 1.170
How the Exploit Works
SQL Injection is a code injection technique that attackers use to insert malicious SQL statements into an entry field for execution. In the context of CVE-2025-4738, an attacker might use this technique to manipulate the MY ERP system’s database. The attacker could potentially view, modify, or delete data, or even execute administration operations on the database.
Conceptual Example Code
The following is a simplified, conceptual example of how an HTTP request might be crafted to exploit this vulnerability:
POST /erp/database HTTP/1.1
Host: target.example.com
Content-Type: application/sql
{ "query": "SELECT * FROM users; DROP TABLE users;" }
In this hypothetical example, the attacker is first selecting all data from a ‘users’ table, then deleting that same table. Real-world attacks can be much more sophisticated and damaging.
Mitigation and Patching
To mitigate this vulnerability, organizations should urgently apply the vendor’s patch. For those who cannot immediately apply the patch, using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as a temporary mitigation. However, these measures do not fully resolve the vulnerability and are not substitutes for applying the vendor’s patch. Companies should also consider employing best practices for SQL query handling, such as using prepared statements and stored procedures, validating user input, and limiting database permissions.
