CVE-2025-14667 is an SQL injection vulnerability identified in the itsourcecode COVID Tracking System version 1.0. The vulnerability resides in an unknown function within the /admin/?page=system_info endpoint, specifically involving the meta_value parameter. An attacker can remotely manipulate this parameter to inject malicious SQL queries, potentially bypassing authentication and executing arbitrary database commands. This can lead to unauthorized data disclosure, modification, or deletion, compromising the confidentiality, integrity, and availability of the system's data. The vulnerability does not require any privileges or user interaction, making it highly accessible for attackers. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the network attack vector, low attack complexity, and no required privileges or user interaction. The vulnerability affects only version 1.0 of the product, and no official patches have been published yet. The COVID Tracking System is likely used by health organizations and government agencies to monitor pandemic data, making it a sensitive target for attackers aiming to disrupt public health efforts or steal sensitive information.

For European organizations, exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive health data, manipulation or deletion of critical COVID-19 tracking information, and disruption of public health monitoring systems. This could undermine trust in government and health institutions, lead to privacy violations under GDPR, and potentially cause operational downtime or misinformation during a public health crisis. The impact is particularly significant for organizations managing large-scale pandemic response data or integrating this system with other health infrastructure. Data breaches could expose personally identifiable information (PII) of citizens, leading to legal and reputational consequences. Additionally, attackers could leverage this vulnerability to pivot within networks, escalating their access and causing broader damage.

Organizations should immediately conduct a thorough code audit focusing on the /admin/?page=system_info endpoint and the handling of the meta_value parameter to identify and remediate unsafe SQL query constructions. Implement parameterized queries or prepared statements to prevent SQL injection. Restrict access to the administrative interface through network segmentation, VPNs, or IP whitelisting to reduce exposure. Monitor logs for unusual database queries or access patterns indicative of exploitation attempts. If possible, deploy web application firewalls (WAFs) with rules targeting SQL injection signatures. Since no official patches are currently available, consider temporary mitigations such as disabling or restricting the vulnerable functionality until a fix is released. Educate administrators about the risks and ensure timely application of any future patches from the vendor. Finally, review and enhance overall input validation and sanitization practices across the application.