CVE-2025-34162 is a critical unauthenticated SQL injection vulnerability identified in the Bian Que Feijiu Intelligent Emergency and Quality Control System developed by Feijiu Medical Technology Co., Ltd. The flaw exists specifically in the GetLyfsByParams endpoint, accessible via the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The vulnerability arises because the backend fails to properly sanitize the user-supplied input in the strOpid parameter. This improper neutralization of special elements used in SQL commands (CWE-89) allows an attacker to inject arbitrary SQL statements directly into the database query. Since the vulnerability requires no authentication and no user interaction, it is highly exploitable remotely over the network. The impact of exploitation includes unauthorized data exfiltration, bypassing authentication mechanisms, and potentially executing remote code on the backend system depending on the database and server configuration. The vulnerability affects all builds released prior to June 2025, although the exact affected version range is not fully defined. Newer versions of the product reportedly contain fixes. The CVSS 4.0 base score of 9.3 reflects the critical severity, with network attack vector, no required privileges or user interaction, and high impact on confidentiality and system control. The vulnerability was first observed exploited in the wild by the Shadowserver Foundation on July 23, 2025, indicating active threat actor interest. Given the product’s role in emergency and quality control in medical environments, exploitation could severely disrupt healthcare operations and compromise sensitive patient data.

For European organizations, especially healthcare providers and emergency response units using the Bian Que Feijiu Intelligent Emergency and Quality Control System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive medical data, violating GDPR and other data protection regulations, resulting in legal and financial penalties. The ability to bypass authentication and potentially execute remote code could allow attackers to disrupt emergency services, degrade patient care quality, or manipulate medical records, causing direct harm to patients and undermining trust in healthcare infrastructure. Additionally, the critical nature of the vulnerability means that attackers can exploit it remotely without credentials, increasing the likelihood of widespread attacks. The disruption of emergency and quality control systems could also have cascading effects on hospital operations and public health responses, especially during crises. The reputational damage and operational downtime could be severe for affected European healthcare institutions.

1. Immediate upgrade to the latest version of the Bian Que Feijiu Intelligent Emergency and Quality Control System where the vulnerability is patched. Coordinate with the vendor to confirm the fixed versions and apply updates promptly. 2. Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the strOpid parameter and the /AppService/BQMedical/WebServiceForFirstaidApp.asmx endpoint. 3. Conduct thorough input validation and sanitization on all user-supplied inputs, especially parameters used in SQL queries, employing parameterized queries or prepared statements to prevent injection. 4. Restrict network access to the vulnerable interface by limiting exposure to trusted internal networks or VPNs, reducing the attack surface. 5. Monitor logs and network traffic for anomalous SQL queries or unusual activity patterns indicative of exploitation attempts. 6. Perform regular security assessments and penetration testing focused on injection vulnerabilities within the medical system environment. 7. Develop and test incident response plans specifically addressing potential exploitation scenarios of this vulnerability to minimize operational impact.