A critical SQL injection vulnerability has been identified in the Blood Bank Management System, assigned CVE-2025-63531 with the highest possible CVSS score of 10.0. This flaw allows an unauthenticated attacker to bypass login controls and gain complete, unauthorized access to the system and its sensitive data. Due to the critical nature and ease of exploitation, immediate remediation is required to prevent a potential data breach.

The vulnerability is a classic SQL injection located in the receiverLogin.php component of the application. The system fails to properly validate or sanitize the remail and rpassword parameters before using them in a database query. An unauthenticated attacker can submit specially crafted input, such as ' OR '1'='1' --, in these fields to manipulate the SQL query's logic, causing the authentication check to always evaluate as true and granting them access without valid credentials.

This vulnerability is of critical severity with a CVSS score of 10.0. Successful exploitation would grant an attacker unauthorized administrative access to the Blood Bank Management System. This could lead to a severe data breach, including the exposure of sensitive patient information, blood donor records, and inventory data. The potential consequences include significant regulatory fines (e.g., HIPAA), reputational damage, loss of public trust, and disruption of critical healthcare operations.

Immediate Action: Immediately apply the security update provided by the vendor to patch the vulnerability. Update the Blood Bank Management System to the latest version to ensure the SQL injection flaw is corrected. After patching, review system access logs for any signs of unauthorized logins or suspicious activity originating prior to the update.

Proactive Monitoring: Implement enhanced logging and monitoring of the web server hosting the application. Specifically, monitor for web requests to the receiverLogin.php page containing common SQL injection syntax (e.g., ', --, UNION, SELECT, OR 1=1) in the remail and rpassword parameters. Alert on multiple failed login attempts followed by a successful login from the same IP address, which could indicate a successful bypass.

Compensating Controls: If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) and configure it with rulesets designed to detect and block SQL injection attacks. Restrict network access to the application's login interface, allowing connections only from trusted IP addresses or internal networks until the patch can be applied.

Public Exploit Available: true

Given the critical CVSS score of 10.0 and the simplicity of exploitation, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that the vendor-supplied patch be applied on an emergency basis. Although this CVE is not currently listed on the CISA KEV list, its critical impact on a system managing sensitive health data warrants urgent and prioritized action. If patching is delayed, the implementation of compensating controls, such as a WAF, should be considered a mandatory temporary measure.