CVE-2025-10118 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode E-Logbook with Health Monitoring System for COVID-19. The vulnerability resides in an unspecified function within the /login.php file, where the 'Username' parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring authentication or user interaction, as the attack vector is network accessible (AV:N) and has low attack complexity (AC:L). The vulnerability impacts the confidentiality, integrity, and availability of the backend database, as attackers can potentially extract sensitive health monitoring data, modify records, or disrupt system operations. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the significant but not critical risk posed by this vulnerability. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the likelihood of exploitation attempts. Given the nature of the product—a health monitoring system used for COVID-19 tracking—the exposure of personal health information and operational disruption could have serious consequences.

For European organizations, especially healthcare providers, public health authorities, and institutions involved in COVID-19 monitoring and response, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized access to sensitive personal health data, violating GDPR and other privacy regulations, resulting in legal and reputational damage. Data integrity attacks could corrupt health records, undermining public health decision-making and response efforts. Availability impacts could disrupt critical health monitoring services during a pandemic, affecting patient care and public safety. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, particularly in environments where this software is deployed without adequate network segmentation or monitoring.

Organizations should prioritize patching or upgrading the affected software version immediately once a vendor patch is available. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'Username' parameter in /login.php. Conduct thorough input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. Network segmentation should be enforced to limit external access to the application, restricting it to trusted internal networks where possible. Regularly audit and monitor logs for suspicious login attempts or anomalous database queries. Additionally, organizations should review and enhance their incident response plans to address potential data breaches involving health information. Given the sensitivity of the data, encryption of stored data and backups is recommended to mitigate data exposure risks.