CVE-2025-9022 is a SQL Injection vulnerability identified in the SourceCodester Online Bank Management System version 1.0. The vulnerability exists in the processing of the /bank/statements.php file, specifically in the handling of the 'email' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the system then executes on the backend database. This type of vulnerability allows an unauthenticated remote attacker to interfere with the queries that the application makes to its database. The consequences of successful exploitation can include unauthorized data access, data modification, or even complete compromise of the database. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) shows that the attack is network exploitable without authentication or user interaction, with low complexity and partial impact on confidentiality, integrity, and availability. No patches or known exploits in the wild are currently reported. The vulnerability stems from insufficient input validation or parameterized query usage in the affected PHP file, which is a common cause of SQL injection flaws. Given that this is an online banking management system, the sensitivity of the data and the critical nature of the application elevate the risk posed by this vulnerability despite the medium CVSS score.

For European organizations using the SourceCodester Online Bank Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive banking data. Exploitation could lead to unauthorized disclosure of customer financial information, transaction histories, and personally identifiable information (PII). Additionally, attackers could manipulate or delete banking records, potentially causing financial loss and reputational damage. The availability of banking services could also be disrupted if the database is corrupted or taken offline. Given the critical role of banking systems in the European financial ecosystem and the stringent data protection regulations such as GDPR, exploitation of this vulnerability could result in regulatory penalties and loss of customer trust. Although no known exploits are currently reported, the ease of exploitation (no authentication or user interaction required) means that attackers could potentially develop exploits quickly, increasing the urgency for mitigation.

To mitigate this vulnerability, organizations should immediately review and update the code handling the 'email' parameter in /bank/statements.php to ensure proper input validation and sanitization. Implementing parameterized queries or prepared statements is essential to prevent SQL injection. If source code modification is not immediately feasible, deploying a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attempts targeting the 'email' parameter can provide temporary protection. Conducting a thorough security audit of the entire application to identify and remediate similar injection points is recommended. Additionally, organizations should monitor database logs for suspicious queries and unusual access patterns. Regular backups of the database should be maintained to enable recovery in case of data corruption. Finally, updating to a patched version of the software once available is critical to fully resolve the issue.