CVE-2025-40687 is a critical SQL Injection vulnerability (CWE-89) identified in version 1.2 of the PHPGurukul Online Fire Reporting System (OFRS). The vulnerability arises from improper neutralization of special elements in SQL commands, specifically in the parameters 'mobilenumber', 'teamleadname', and 'teammember' within the '/ofrs/admin/add-team.php' endpoint. This flaw allows an unauthenticated attacker to execute arbitrary SQL queries against the backend database. Exploitation can lead to unauthorized retrieval, creation, modification, or deletion of database records. Given the CVSS 4.0 base score of 9.3 (critical), the vulnerability is remotely exploitable without any authentication or user interaction, with low attack complexity and no scope change. The impact on confidentiality, integrity, and availability is high, enabling full compromise of the database and potentially the entire application data. The vulnerability is currently published but no known exploits have been reported in the wild yet. The lack of available patches increases the urgency for mitigation. This vulnerability is particularly dangerous because the affected system manages fire reporting data, which may include sensitive operational and emergency response information. An attacker could manipulate team assignments, contact details, or other critical data, disrupting emergency services or leaking sensitive information.

For European organizations using the PHPGurukul Online Fire Reporting System, this vulnerability poses a severe risk. Fire reporting systems are critical infrastructure components that support emergency response coordination. Exploitation could lead to unauthorized access to sensitive emergency data, manipulation of team assignments, or disruption of fire response operations. This could result in delayed emergency responses, endangering public safety and causing reputational damage to public safety agencies. Additionally, unauthorized data disclosure could violate GDPR regulations, leading to legal and financial penalties. The critical nature of this vulnerability means that any exploitation could have immediate and severe operational impacts, especially in countries with centralized or digitalized emergency management systems relying on this software. The absence of authentication requirements for exploitation further exacerbates the risk, allowing external attackers to target these systems remotely.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict network access to the '/ofrs/admin/add-team.php' endpoint by applying strict firewall rules or IP whitelisting to limit access only to trusted administrative networks. Second, implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting the vulnerable parameters ('mobilenumber', 'teamleadname', 'teammember'). Third, conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize inputs before they reach the database layer. If possible, upgrade to a newer, patched version of the software once available. Additionally, monitor logs for suspicious database queries or unusual activity related to the affected endpoint. Regular backups of the database should be maintained to enable recovery in case of data tampering. Finally, raise awareness among IT and security teams about this vulnerability to ensure rapid incident response if exploitation attempts are detected.