Software SQL Injection Flaw (CVE-2025-10970) - Patch Now

Patch now - CVE-2025-10970 is a critical unauthenticated SQL injection in Kolay Software Inc. Talentics all versions through February 20, 2026 that steals all database data, bypasses authentication, and manipulates or destroys records. No patch exists; isolate the application behind a WAF and restrict network access.

Overview

A critical security vulnerability has been identified in Kolay Software Inc.’s Talentics platform. This flaw, tracked as CVE-2025-10970, is a Blind SQL Injection vulnerability that affects all versions of Talentics released through February 20, 2026.

Vulnerability Explained

In simple terms, this is a severe input validation flaw. The Talentics application does not properly check or “sanitize” user-supplied data before using it to query its database. An attacker can exploit this by inserting malicious database commands (SQL queries) into normal input fields-such as login forms or search boxes. The “Blind” aspect means an attacker can still steal data and manipulate the database even without seeing direct error messages, making the attack stealthier.

Potential Impact

The impact of this vulnerability is severe due to its critical CVSS score of 9.8 (on a scale of 0-10). A successful exploit could allow an unauthenticated remote attacker to:

• Steal Sensitive Data: Extract any information stored in the Talentics database, including personally identifiable information (PII), employee records, performance data, and internal company information.
• Bypass Authentication: Gain unauthorized administrative access to the Talentics platform.
• Manipulate or Destroy Data: Alter, delete, or corrupt database contents, which could lead to significant operational disruption and data loss.

Remediation and Mitigation

The vendor, Kolay Software Inc., was contacted prior to disclosure but has not responded. As no official patch is currently available, the following actions are critical:

1. Immediate Isolation: If possible, restrict network access to the Talentics application. Place it behind a firewall and limit access to only necessary IP addresses or via a VPN.
2. Web Application Firewall (WAF): Deploy or configure a WAF in front of the application immediately. Ensure it is tuned with rules specifically designed to block SQL injection payloads. This is the most effective temporary mitigation.
3. Vigilant Monitoring: Review database and application logs for any unusual or unexpected query patterns, especially long-running queries or access from suspicious sources.
4. Vendor Engagement: Continuously attempt to contact Kolay Software Inc. for an official security patch or update. Plan for an immediate upgrade once a fixed version becomes available.

Important Note: Input validation at the application level is the only permanent fix. A WAF is a protective shield but does not remove the underlying flaw. Organizations should assess the continued use of the software until the vendor provides a patched version.