CVE-2025-14192 identifies a SQL injection vulnerability in the RashminDungrani online-banking system, affecting versions up to commit 2337ad552ea9d385b4e07b90e6f32d011b7c68a2. The vulnerability resides in the authentication login script (/site/dist/auth_login.php), where the Username parameter is improperly sanitized, allowing attackers to inject malicious SQL queries remotely. This flaw does not require any authentication or user interaction, making it highly accessible for exploitation. The continuous delivery model with rolling releases complicates pinpointing affected versions or patches, and the vendor has not provided any response or remediation guidance. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impacts on confidentiality, integrity, and availability. Exploitation could lead to unauthorized data access, manipulation, or deletion within the banking platform's database, potentially compromising sensitive customer information and transactional integrity. Although no exploits are currently reported in the wild, public disclosure increases the risk of imminent attacks. The lack of vendor response and patch availability necessitates proactive defensive measures by users of this platform.

European organizations using RashminDungrani online-banking software face significant risks including unauthorized access to sensitive customer data, financial information leakage, and potential manipulation or disruption of banking transactions. Confidentiality is at risk due to possible data exfiltration via SQL injection. Integrity could be compromised by unauthorized modification or deletion of records, affecting trustworthiness of financial data. Availability may be impacted if attackers exploit the vulnerability to cause denial of service or database corruption. Given the critical nature of banking services, such disruptions could lead to financial losses, regulatory penalties under GDPR, and reputational damage. The remote and unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially as exploit code is publicly available. European financial institutions must consider this vulnerability a serious threat to their operational security and customer trust.

1. Immediate code audit and remediation: Review the /site/dist/auth_login.php script to implement proper input validation and parameterized queries or prepared statements to prevent SQL injection. 2. Deploy Web Application Firewalls (WAFs) with rules specifically targeting SQL injection patterns on the Username parameter. 3. Monitor logs for unusual database query patterns or repeated failed login attempts that may indicate exploitation attempts. 4. Since vendor patches are unavailable, consider isolating or restricting access to the affected service until a fix is released. 5. Conduct penetration testing and vulnerability scanning focused on injection flaws to identify any other vulnerable inputs. 6. Educate development teams on secure coding practices to prevent similar vulnerabilities in future rolling releases. 7. Engage with the vendor or community to push for timely patch releases and transparency. 8. Implement multi-factor authentication and additional layers of security to reduce impact if credentials are compromised.