CVE-2025-11357 is a SQL injection vulnerability identified in version 1.0 of the Simple Banking System developed by code-projects. The vulnerability resides in the /createuser.php endpoint, where the 'Name' parameter is improperly sanitized, allowing an attacker to inject malicious SQL commands. This flaw can be exploited remotely without requiring user interaction or elevated privileges, making it accessible to unauthenticated attackers with network access to the application. The SQL injection can lead to unauthorized reading, modification, or deletion of database records, potentially compromising sensitive banking data such as user credentials, account information, or transaction records. The CVSS 4.0 base score of 5.3 (medium severity) reflects that while the attack vector is network-based and requires no user interaction, the impact on confidentiality, integrity, and availability is limited to low levels. No patches or official fixes have been published yet, and although proof-of-concept exploit code is publicly available, there are no confirmed reports of active exploitation in the wild. The vulnerability highlights the critical need for secure coding practices, especially in financial applications where data integrity and confidentiality are paramount.

For European organizations, this vulnerability poses a risk of unauthorized data access and manipulation within banking systems using the affected software. Exploitation could lead to exposure of sensitive customer data, financial fraud, or disruption of banking operations. Even though the severity is medium, the financial sector's high regulatory requirements (e.g., GDPR, PSD2) mean that any data breach could result in significant legal and reputational consequences. The ability to remotely exploit the vulnerability without authentication increases the attack surface, especially for internet-facing banking applications. Organizations relying on this software may face increased risk of targeted attacks or automated scanning by threat actors leveraging the publicly available exploit. Additionally, the lack of an official patch means organizations must implement interim mitigations to reduce exposure. The impact extends beyond direct financial loss to potential erosion of customer trust and regulatory penalties.

1. Immediately implement input validation and sanitization on the 'Name' parameter in /createuser.php to block malicious SQL payloads. 2. Refactor the application code to use parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user permissions to the minimum necessary, avoiding use of highly privileged accounts for application access. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block SQL injection attempts targeting this endpoint. 5. Monitor application logs and database activity for unusual queries or access patterns indicative of exploitation attempts. 6. Isolate or limit network exposure of the vulnerable application, restricting access to trusted IP ranges where possible. 7. Engage with the vendor or development community to obtain or develop an official patch or updated version. 8. Conduct security code reviews and penetration testing to identify and remediate similar vulnerabilities elsewhere in the application. 9. Educate developers on secure coding practices to prevent recurrence of injection flaws. 10. Prepare incident response plans to quickly address any detected exploitation.