CVE-2025-15450 is a SQL injection vulnerability found in the sfturing hosp_order software, affecting the findOrderHosNum function located in the /ssm_pro/orderHos/ directory. The vulnerability stems from insufficient input validation and sanitization of the hospitalAddress and hospitalName parameters, which are used directly in SQL queries. This flaw allows remote attackers to craft malicious input that alters the intended SQL commands, potentially enabling unauthorized data retrieval, modification, or deletion within the underlying database. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The product does not implement versioning, making it difficult to determine which specific builds are affected, though the identified affected commit hash is 627f426331da8086ce8fff2017d65b1ddef384f8. The vendor was notified but has not responded or released patches, leaving users exposed. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability could allow attackers to access or manipulate sensitive hospital order data. No known active exploitation has been reported, but public exploit code is available, increasing the likelihood of future attacks. Organizations relying on this software should urgently assess their exposure and implement mitigations.

The SQL injection vulnerability in sfturing hosp_order can lead to unauthorized access and manipulation of sensitive hospital order data, potentially exposing patient information, disrupting hospital operations, and undermining data integrity. Attackers could extract confidential data, modify or delete records, or execute arbitrary SQL commands, which may result in data breaches, loss of trust, and regulatory non-compliance, especially in healthcare environments subject to strict data protection laws. The remote exploitability without authentication increases the risk of widespread attacks, particularly if the software is exposed to the internet or accessible within insecure networks. The lack of vendor response and absence of patches exacerbate the threat, leaving organizations vulnerable to exploitation. While no active exploitation is currently known, the availability of public exploit code lowers the barrier for attackers to launch successful attacks. The impact extends to operational disruption, potential financial losses, and reputational damage for healthcare providers using this product.

Given the absence of vendor patches, organizations should implement immediate compensating controls. First, restrict network access to the hosp_order application by implementing strict firewall rules and network segmentation to limit exposure to trusted internal networks only. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting hospitalAddress and hospitalName parameters. Conduct thorough input validation and sanitization at the application layer, if possible, by applying parameterized queries or prepared statements to prevent injection. Monitor application logs for suspicious query patterns or anomalies indicative of injection attempts. If feasible, perform code review and patch the vulnerable function internally to enforce proper input handling. Regularly back up databases and implement robust incident response plans to quickly recover from potential compromises. Finally, maintain heightened vigilance for emerging exploits and consider migrating to alternative, actively supported software solutions if vendor support remains absent.