CVE-2025-5762 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Patient Record Management System, specifically within an unknown function in the file view_hematology.php. The vulnerability arises from improper sanitization or validation of the 'itr_no' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an attacker to remotely execute arbitrary SQL commands on the backend database without requiring user interaction or authentication, as indicated by the CVSS vector. The vulnerability is classified with a CVSS 4.0 base score of 5.3, which is medium severity, reflecting that while the attack vector is network-based and requires no user interaction, it does require low privileges and has limited impact on confidentiality, integrity, and availability. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. The vulnerability could allow unauthorized access to sensitive patient data, modification or deletion of records, or potentially database compromise depending on the database privileges of the application. The lack of available patches or mitigations from the vendor at this time increases the urgency for organizations using this system to implement compensating controls.

For European organizations, particularly healthcare providers using the affected Patient Record Management System version 1.0, this vulnerability poses a significant risk to patient data confidentiality and integrity. Unauthorized SQL injection attacks could lead to exposure of sensitive medical records, violating GDPR requirements and resulting in legal and reputational consequences. Data manipulation could disrupt clinical workflows and patient care. The remote exploitability without user interaction or authentication increases the threat surface, especially for systems exposed to the internet or insufficiently segmented networks. Given the critical nature of healthcare data and the strict regulatory environment in Europe, exploitation could lead to substantial financial penalties and loss of patient trust. Additionally, the public disclosure of the exploit code may encourage opportunistic attackers to target vulnerable installations, increasing the likelihood of attacks.

Since no official patches are currently available, European organizations should immediately implement the following mitigations: 1) Conduct a thorough inventory to identify all instances of the affected Patient Record Management System version 1.0. 2) Restrict network access to the application, limiting exposure to trusted internal networks only, and block external access to the view_hematology.php endpoint if possible. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'itr_no' parameter. 4) Implement strict input validation and sanitization at the application or proxy level to reject malicious input. 5) Monitor logs for unusual database queries or errors indicative of injection attempts. 6) Plan and prioritize upgrading to a patched or newer version once available or consider migrating to alternative systems with better security posture. 7) Educate IT and security teams about the vulnerability and ensure incident response plans are updated to handle potential exploitation. 8) Regularly back up patient data securely to enable recovery in case of data corruption or deletion.