CVE-2025-63497 identifies an SQL injection vulnerability located in the his_doc_view_single_patient.php script of the rickxy Hospital Management System version 1.0. The vulnerability specifically targets the pat_number parameter passed via HTTP GET requests. This parameter is directly concatenated into SQL queries without any sanitization or use of prepared statements, which violates secure coding practices and introduces CWE-89 (SQL Injection). Authenticated users with doctor roles can exploit this flaw to inject arbitrary SQL commands, potentially allowing them to read, modify, or delete sensitive patient data stored in the backend database. The vulnerability does not require additional user interaction beyond authentication, making it easier to exploit once credentials are obtained. The CVSS v3.1 score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) indicates network exploitable, low attack complexity, requires privileges (doctor role), no user interaction, unchanged scope, low confidentiality impact, high integrity impact, and no availability impact. No patches or known exploits have been reported yet, but the risk remains significant due to the sensitive nature of healthcare data and the potential for data tampering or leakage. This vulnerability highlights the need for secure input handling and robust access control in healthcare management systems.

For European organizations, especially healthcare providers, this vulnerability can lead to unauthorized access and manipulation of sensitive patient prescription data. The integrity of medical records could be compromised, potentially resulting in incorrect treatments or prescriptions. Confidentiality breaches could expose personal health information, violating GDPR and other data protection regulations, leading to legal and financial repercussions. The lack of availability impact means systems remain operational, but trust and data reliability are undermined. Attackers with doctor-level credentials could leverage this flaw to escalate privileges or pivot to other parts of the network. Given the critical nature of healthcare services, such an incident could disrupt patient care and damage organizational reputation. The vulnerability also raises concerns about compliance with European healthcare IT security standards and mandates.

To mitigate this vulnerability, organizations should immediately audit the rickxy Hospital Management System codebase, focusing on the his_doc_view_single_patient.php file. Implement parameterized queries or prepared statements to handle the pat_number parameter safely, eliminating direct SQL concatenation. Enforce strict input validation and sanitization on all user-supplied data, particularly GET parameters. Review and tighten role-based access controls to ensure that only authorized personnel can access sensitive patient data. Conduct thorough security testing, including static code analysis and penetration testing, to identify similar injection points. If possible, isolate the database backend with network segmentation and monitor database queries for anomalous activity. Organizations should also establish incident response plans specific to healthcare data breaches and ensure staff are trained on secure coding and security awareness. Finally, coordinate with the vendor for official patches or updates and apply them promptly once available.