The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint alert urging executives of technology manufacturing companies to conduct formal reviews of their organizations' software and promptly implement mitigations aimed at eliminating SQL injection (SQLi) security vulnerabilities before shipping products to consumers.

SQL injection vulnerabilities represent a significant threat to the integrity and security of databases. These vulnerabilities occur when user-supplied input is inserted directly into a SQL command, enabling threat actors to execute arbitrary queries. Successful SQLi exploitation can allow malicious actors to steal sensitive information, tamper with, delete, or render information unavailable in a database.

“SQL injections succeed because software developers fail to treat user-supplied content as potentially malicious,” the advisory notes.

“During the design and development of a software product, developers should use parameterized queries with prepared statements to separate SQL code from user-supplied data to prevent this class of vulnerability,” it continues. “This separation ensures the system treats user input as data and not executable code, thereby eliminating the risk of malicious user input being interpreted as a SQL statement. Software manufacturers should systemically eliminate SQLi vulnerabilities by enforcing the use of parametrized queries across their applications.”

The guidance also highlights three principles manufacturers should review. Those include taking ownership of customer security outcomes, embracing radical transparency and accountability, and building organizational structure and leadership to achieve these goals.

Separately, CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to add three new actively exploited vulnerabilities:

CVE-2023-48788 - Fortinet FortiClient EMS SQL Injection Vulnerability

CVE-2021-44529 - Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability

CVE-2019-7256 - Nice Linear eMerge E3-Series OS Command Injection Vulnerability