CVE-2025-8985 is a SQL Injection vulnerability identified in SourceCodester COVID 19 Testing Management System version 1.0. The vulnerability resides in the /profile.php file, specifically in the handling of the 'mobilenumber' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which is then executed by the backend database. This flaw allows remote attackers to exploit the system without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the affected system, as attackers could potentially extract sensitive data, modify database contents, or disrupt service operations. Although the CVSS score is 6.9 (medium severity), the exploitability is relatively straightforward due to the lack of required privileges or user interaction. The disclosure of the exploit to the public increases the risk of exploitation, although no known exploits in the wild have been reported yet. Other parameters in the system might also be vulnerable, suggesting a broader issue with input validation and sanitization in the application. The COVID 19 Testing Management System is likely used by healthcare providers or testing centers to manage patient data and test results, making the confidentiality and integrity of this data critical.

For European organizations, especially healthcare providers and public health authorities using the SourceCodester COVID 19 Testing Management System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive personal health information, including patient identities and COVID-19 test results, violating GDPR and other data protection regulations. Data manipulation could result in incorrect test results being recorded or reported, potentially impacting public health decisions and patient care. Service disruption could also affect the availability of testing management systems, hindering timely processing and reporting of COVID-19 tests. Given the critical nature of healthcare data and the ongoing importance of COVID-19 testing infrastructure, this vulnerability could undermine trust in healthcare IT systems and cause regulatory and reputational damage to affected organizations.

Organizations should immediately assess whether they use SourceCodester COVID 19 Testing Management System version 1.0 and prioritize upgrading or patching the system once a vendor patch becomes available. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'mobilenumber' parameter and other input fields is recommended. Conduct a thorough code review and input validation audit of the application, focusing on all parameters that interact with the database, to implement parameterized queries or prepared statements to prevent SQL injection. Implement strict input validation and sanitization on all user-supplied data. Monitor logs for unusual database query patterns or error messages indicative of injection attempts. Segmentation of the testing management system network and limiting database access privileges can reduce the impact of a successful attack. Additionally, ensure that backups of critical data are maintained securely to enable recovery in case of data corruption or loss.