A critical SQL Injection vulnerability, identified as CVE-2025-40690, has been discovered in the Online Fire Reporting System by PHPGurukul. This flaw allows an unauthenticated attacker to gain complete control over the application's database, enabling them to steal, modify, or delete sensitive fire reporting data. Due to its critical severity and potential for full data compromise, immediate remediation is strongly advised.

The application is vulnerable to SQL Injection due to improper sanitization of user-supplied input in the teamid parameter. An attacker can send a specially crafted request to the /ofrs/ad... endpoint, injecting malicious SQL queries into the parameter. Successful exploitation allows the attacker to execute arbitrary commands on the backend database, bypassing authentication and authorization controls to perform actions such as reading sensitive information, modifying data, deleting records, or potentially escalating privileges to take control of the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk of exploitation with severe consequences. A successful attack could lead to a complete compromise of the fire reporting system's database. The potential business impact includes a major data breach of sensitive incident reports, personal information, and responder details; manipulation or deletion of critical records, undermining data integrity and operational trust; and significant reputational damage. The loss of data integrity could have severe real-world consequences for emergency response and reporting.

Immediate Action: Immediately apply the vendor-supplied patch to update the Online Fire Reporting System to the latest secure version. Before deploying to production, test the update in a staging environment to ensure it does not disrupt critical operations.

Proactive Monitoring: System administrators should actively monitor web server and database logs for any signs of exploitation. Look for suspicious requests to the vulnerable endpoint containing SQL syntax (e.g., UNION, SELECT, ' OR '1'='1') within the teamid parameter. Monitor for unusual database queries, unexpected data changes, or connections from unknown IP addresses.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. Enforce parameterized queries or stringent input validation at the application layer as an interim measure. Restrict access to the affected endpoint to trusted IP addresses only.

Public Exploit Available: true

Due to the critical 9.8 CVSS score and the high probability of exploitation, we strongly recommend that organizations using the affected software prioritize the immediate application of the vendor's patch. The risk of a complete database compromise presents an unacceptable threat to data confidentiality, integrity, and availability. If patching cannot be performed immediately, compensating controls such as a WAF must be implemented as a matter of urgency to mitigate the risk.