CVE-2025-15450 is a SQL injection vulnerability discovered in the sfturing hosp_order software, a healthcare order management system. The flaw exists in the findOrderHosNum function located in the /ssm_pro/orderHos/ directory, where user-controllable inputs hospitalAddress and hospitalName are improperly sanitized. This lack of input validation allows attackers to inject malicious SQL code remotely, potentially leading to unauthorized data access, modification, or deletion within the backend database. The vulnerability requires no user interaction and no prior authentication, increasing its risk profile. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the attack vector is network-based with low complexity and no privileges required, but with limited impact on confidentiality, integrity, and availability. The product does not use versioning, complicating identification of affected releases, and the vendor has not provided patches or responded to disclosure efforts. Publicly available exploits increase the risk of exploitation, although no active exploitation has been reported. This vulnerability is critical in healthcare contexts where patient data confidentiality and system integrity are paramount.

For European organizations, especially those in the healthcare sector using sfturing hosp_order, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to sensitive patient records, manipulation of hospital order data, and potential disruption of healthcare services. This compromises patient privacy, violates GDPR regulations, and could result in legal and reputational damage. The ability to execute SQL injection remotely without authentication increases the attack surface, making it easier for threat actors to target healthcare providers. Additionally, the lack of vendor response and absence of patches prolong exposure. The impact extends beyond data breaches to potential operational disruptions if attackers modify or delete critical order information. This could affect hospitals, clinics, and healthcare service providers across Europe, undermining trust in digital healthcare systems.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on hospitalAddress and hospitalName parameters at the application level, ideally using parameterized queries or prepared statements to prevent SQL injection. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting these parameters. Conduct thorough code audits to identify and remediate similar injection points. Network segmentation should isolate the hosp_order system to limit exposure. Monitor logs for suspicious database queries or unusual access patterns. Engage with the vendor for updates and consider migrating to alternative solutions if remediation is delayed. Finally, ensure regular backups and incident response plans are in place to recover from potential data integrity attacks.