CVE-2025-5612 is a SQL Injection vulnerability identified in version 1.2 of the PHPGurukul Online Fire Reporting System, specifically within the /reporting.php file. The vulnerability arises from improper sanitization or validation of the 'fullname' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting that it requires no user interaction and no privileges but does require some level of access (PR:L) and has limited impact on confidentiality, integrity, and availability. Although the exploit has been publicly disclosed, there are no known active exploits in the wild at this time. The vulnerability may also affect other parameters, indicating a broader input validation issue within the application. Given the nature of the application—an online fire reporting system—compromise could lead to manipulation or exposure of sensitive incident reports, undermining emergency response efforts and public safety data integrity.

For European organizations, particularly those involved in emergency services, municipal fire departments, or government agencies using the PHPGurukul Online Fire Reporting System, this vulnerability poses a risk of unauthorized access to sensitive incident data. Exploitation could result in exposure of confidential information, alteration of fire incident reports, or disruption of reporting workflows. This could degrade trust in emergency response systems, delay critical response actions, and potentially endanger public safety. Additionally, data breaches involving personal information of reporters or victims could lead to GDPR violations, resulting in legal and financial penalties. The medium severity rating suggests that while the vulnerability is exploitable remotely without user interaction, the impact is somewhat limited, but still significant given the critical nature of the data handled by the system.

To mitigate this vulnerability, organizations should immediately review and update the input validation and sanitization mechanisms for all parameters in the /reporting.php file, especially the 'fullname' parameter. Implementing parameterized queries or prepared statements is essential to prevent SQL injection attacks. If a patch from the vendor becomes available, it should be applied promptly. In the absence of an official patch, organizations should consider deploying Web Application Firewalls (WAFs) with specific rules to detect and block SQL injection payloads targeting the affected endpoints. Regular code audits and penetration testing should be conducted to identify and remediate similar injection flaws. Additionally, monitoring database logs for suspicious queries and implementing strict access controls on the database can help detect and limit the impact of potential exploitation. Finally, organizations should ensure that backups of critical data are maintained securely to enable recovery in case of data tampering.