CVE-2025-40691 is a critical SQL Injection vulnerability identified in version 1.2 of the PHPGurukul Online Fire Reporting System. The flaw resides in the 'todate' parameter of the '/ofrs/admin/bwdates-report-result.php' endpoint. Due to improper neutralization of special elements used in SQL commands (CWE-89), an unauthenticated attacker can inject malicious SQL code. This allows the attacker to perform unauthorized actions on the backend database, including retrieving sensitive data, creating new records, updating existing entries, or deleting data. The vulnerability is remotely exploitable over the network without any authentication or user interaction, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). The impact on confidentiality, integrity, and availability is high, as the attacker can fully manipulate the database contents. No patches are currently available, and no known exploits are reported in the wild yet. The vulnerability was reserved in April 2025 and published in September 2025, reflecting recent discovery and disclosure. Given the critical CVSS score of 9.3, this vulnerability poses a severe risk to organizations using this specific version of the Online Fire Reporting System, especially those relying on it for critical incident reporting and management.

For European organizations, the exploitation of this vulnerability could lead to severe operational disruptions and data breaches. The Online Fire Reporting System is likely used by municipal or regional emergency services to log and manage fire incidents. Unauthorized access to this system's database could result in exposure of sensitive incident data, manipulation of fire reports, or deletion of critical records, undermining emergency response effectiveness. This could compromise public safety, erode trust in emergency services, and potentially lead to legal and regulatory consequences under GDPR due to unauthorized access to personal or sensitive data. Additionally, attackers could leverage the compromised system as a foothold for further network intrusion or ransomware deployment. The lack of authentication and user interaction requirements increases the risk of automated mass exploitation attempts, potentially affecting multiple organizations simultaneously.

Immediate mitigation should focus on restricting access to the vulnerable endpoint by implementing network-level controls such as IP whitelisting or VPN-only access for administrative interfaces. Organizations should conduct a thorough audit of their Online Fire Reporting System installations to identify affected versions. Since no official patches are currently available, temporary mitigation can include input validation and sanitization of the 'todate' parameter at the web application firewall (WAF) level to block suspicious SQL syntax patterns. Deploying a WAF with custom rules tailored to detect and block SQL injection attempts targeting this parameter is recommended. Additionally, monitoring database query logs for anomalous activity related to the 'todate' parameter can help detect exploitation attempts early. Organizations should prepare for rapid patch deployment once an official fix is released by PHPGurukul. Finally, regular backups of the database should be maintained to enable recovery in case of data manipulation or deletion.