CVE-2025-5616 is a SQL Injection vulnerability identified in version 1.2 of the PHPGurukul Online Fire Reporting System, specifically within the /admin/profile.php file. The vulnerability arises from improper sanitization or validation of the 'mobilenumber' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries against the backend database without requiring user interaction or elevated privileges. The injection can compromise the confidentiality, integrity, and availability of the database by enabling unauthorized data access, modification, or deletion. Although the CVSS 4.0 score is 5.3 (medium severity), the presence of remote exploitability and the critical nature of fire reporting systems elevate the risk. The vulnerability may also affect other parameters, suggesting a broader input validation issue. No patches or fixes have been disclosed yet, and no known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation attempts.

For European organizations, particularly those using the PHPGurukul Online Fire Reporting System version 1.2, this vulnerability poses significant risks. Fire reporting systems are critical infrastructure components that facilitate emergency response coordination. Exploitation could lead to unauthorized access to sensitive information such as user profiles, emergency reports, and contact details, potentially compromising personal data and operational security. Attackers could manipulate or delete records, disrupting emergency response workflows and causing delays or failures in critical services. This disruption could have severe consequences for public safety and trust. Additionally, data breaches resulting from this vulnerability could lead to regulatory penalties under GDPR due to exposure of personal data. The medium CVSS score may underestimate the real-world impact given the criticality of the affected system's function.

Immediate mitigation should focus on input validation and sanitization of all user-supplied parameters, especially 'mobilenumber' and other potentially vulnerable inputs in /admin/profile.php. Employ parameterized queries or prepared statements to prevent SQL injection. Organizations should conduct a thorough code review of the application to identify and remediate similar vulnerabilities in other parameters or modules. Until a vendor patch is available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the application. Restrict access to the admin interface by IP whitelisting or VPN to reduce exposure. Regularly monitor logs for suspicious database queries or unusual activity. Finally, organizations should plan for timely patching once an official fix is released and consider isolating the affected system to minimize risk.