CVE-2019-10123

Vulnerability

A SQL Injection vulnerability exists in the Advanced InfoData Systems (AIS) ESEL-Server version 67, which serves as the backend for the AIS logistics mobile app. The injection occurs in an unsanitized input parameter passed to MSSQL queries, and by default the database connection uses the privileged sa account. The exact vulnerable endpoint is not fully detailed in the available references, but the Metasploit module [2] confirms the flaw is reachable remotely without authentication.

Exploitation

An anonymous, unauthenticated attacker with network access to the ESEL-Server can inject arbitrary SQL statements by crafting malicious input to a vulnerable parameter. The attacker does not need any prior credentials or user interaction. According to the Metasploit pull request [2], the exploit sends a series of SQL queries that enable xp_cmdshell and then execute operating system commands in the context of the MSSQL service, which runs as the sa user.

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the MSSQL host under the highly privileged sa database user account. This yields full control over the MSSQL instance and, depending on configuration, the underlying Windows server. The impact includes complete compromise of the database (confidentiality, integrity, and availability) and potentially the entire server, as noted in the description [2].

Mitigation

No official vendor patch or fix has been found in the available references [1][2]. The vendor's public website [1] does not mention this vulnerability. Organizations using AIS ESEL-Server 67 should restrict network access to the server, apply the principle of least privilege to the database user (i.e., avoid using the sa account for the application), and consider using a Web Application Firewall (WAF) to filter SQL injection attempts until a fix is released.