A critical SQL injection vulnerability, identified as CVE-2025-40692, has been discovered in the Online Fire Reporting System by PHPGurukul. This flaw allows an unauthenticated attacker to gain complete control over the application's database, enabling them to steal, modify, or delete sensitive fire incident data. Due to the high severity (CVSS 9.8) and potential for full system compromise, immediate remediation is strongly advised.

The vulnerability is a classic SQL injection that exists in the requestid parameter of an application endpoint. An attacker can inject malicious SQL commands into this parameter when making a request to the server. Because the application fails to properly sanitize this user-supplied input, the malicious commands are executed directly by the backend database, allowing the attacker to bypass authentication and perform arbitrary database operations, including reading, creating, updating, and deleting any data in the database.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a devastating impact on the organization. An attacker could exfiltrate sensitive information contained within the fire reporting system, such as personal details, incident locations, and response team information. Furthermore, the ability to modify or delete records compromises data integrity, which could disrupt emergency response operations, invalidate historical data for analysis, and lead to significant legal and reputational damage.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor immediately. Upgrade the Online Fire Reporting System to the latest secure version to eliminate the vulnerability. After patching, review system and database access logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Implement enhanced monitoring of web server and application logs. Specifically, look for suspicious requests to the vulnerable endpoint containing SQL keywords (e.g., UNION, SELECT, --, OR 1=1) within the requestid parameter. Monitor for unusual database activity, such as unexpected queries from the web application's user account or large, anomalous data transfers.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks. Additionally, ensure the database user account leveraged by the application operates under the principle of least privilege, restricting its permissions to only what is absolutely necessary for application function, thereby limiting the potential damage of a successful exploit.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability poses a significant and immediate risk to the organization. We strongly recommend that the remediation plan be executed as a top priority. Although there is no current evidence of active exploitation, the high severity makes this an attractive target for attackers. Organizations must patch all affected systems without delay to prevent potential data breaches and operational disruption.