A critical SQL Injection vulnerability, identified as CVE-2025-40691, exists in the PHPGurukul Online Fire Reporting System. This flaw allows an unauthenticated attacker to execute arbitrary commands on the application's database, potentially leading to a complete compromise of all stored data, including theft, modification, and deletion. Due to its ease of exploitation and severe impact, this vulnerability poses a significant and immediate risk to the confidentiality, integrity, and availability of the system.

The application is vulnerable to SQL Injection due to improper sanitization of user-supplied input in the 'todate' parameter. An unauthenticated remote attacker can send a specially crafted HTTP request to the '/ofrs/...' endpoint, embedding malicious SQL queries within this parameter. The backend database executes these injected queries, allowing the attacker to bypass security controls and perform arbitrary database operations, such as reading sensitive data, modifying or deleting records, and potentially escalating privileges or achieving remote code execution depending on the database configuration.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a catastrophic data breach, compromising sensitive information related to fire incidents, locations, and personnel. An attacker could exfiltrate all data, manipulate official records to disrupt operations, or delete the entire database, rendering the system inoperable. The business risks include severe reputational damage, loss of public trust, potential regulatory fines for data exposure, and significant costs associated with incident response and system recovery.

Immediate Action: Immediately update all instances of the PHPGurukul Online Fire Reporting System to the latest version provided by the vendor to patch this vulnerability. Following the update, conduct a thorough review of access and database logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Implement enhanced monitoring of web application and database server logs. Specifically, look for suspicious requests to the vulnerable endpoint that contain SQL keywords (e.g., UNION, SELECT, --, ' OR '1'='1') within the 'todate' parameter. Configure alerts for a high volume of database errors or unusual query patterns, which could indicate exploitation attempts.

Compensating Controls: If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) and configure it with strict rules to detect and block SQL injection attack patterns. Additionally, enforce the principle of least privilege by ensuring the application's database user has the minimum permissions necessary for its operation, which can limit the impact of a successful exploit.

Public Exploit Available: Not known to be publicly available at the time of this report.

This vulnerability presents a critical and urgent threat to the organization. Given the CVSS score of 9.8 and the potential for complete database compromise by an unauthenticated attacker, immediate remediation is mandatory. All system owners must prioritize the identification and patching of all affected systems without delay. Although not currently on the CISA KEV list, the severity warrants treating this as an actively exploited threat and adhering to an emergency patching timeline.