CVE-2022-2504 SDD Computer Software CVE debrief

Who should care

Organizations running SDD-Baro for business operations, particularly those with internet-exposed instances or containing sensitive business/financial data. Database administrators and application security teams responsible for legacy .NET or Windows-based business applications should prioritize this patch.

Technical summary

SDD-Baro versions prior to 2.8.432 contain an SQL injection vulnerability due to improper input sanitization. The flaw allows network-based attackers without credentials to inject malicious SQL commands, potentially leading to complete database compromise, data exfiltration, authentication bypass, and server-side code execution. The CVSS 3.1 score of 9.8 reflects network attack vector, low complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability. The vulnerability was reported through coordinated disclosure via USOM (Turkish National Cyber Security Incident Response Team) in February 2023.

Defensive priority

critical

Recommended defensive actions

• Upgrade SDD-Baro to version 2.8.432 or later immediately.
• If immediate patching is not possible, restrict network access to SDD-Baro administrative interfaces to trusted IP ranges only.
• Monitor database query logs for anomalous SQL syntax or unexpected table access patterns.
• Review application logs for suspicious authentication attempts or unusual data retrieval patterns.
• Conduct code review of any custom SQL query implementations in SDD-Baro deployments for additional injection vectors.

Evidence notes

CVE published 2023-02-23; modified 2026-05-20. Advisory TR-23-0107 published by USOM (Turkish National Cyber Security Incident Response Team). CPE confirms affected versions: sdd-baro_project:sdd-baro versions before 2.8.432. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Official resources