CVE-2025-11608 – CVE-2025-11608 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-11608?

CVE-2025-11608 has a CVSS score of 7.3 (HIGH). CVE-2025-11608 is an SQL injection vulnerability in code-projects E-Banking System 1.0 that allows remote attackers to execute arbitrary SQL commands via the username/password parameters in register.php. This affects all deployments of version 1.0, potentially compromising the entire database and authentication system.

📋 TL;DR

CVE-2025-11608 is an SQL injection vulnerability in code-projects E-Banking System 1.0 that allows remote attackers to execute arbitrary SQL commands via the username/password parameters in register.php. This affects all deployments of version 1.0, potentially compromising the entire database and authentication system.

💻 Affected Systems

Products:

code-projects E-Banking System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability exists in the default code without requiring special configuration.

📦 What is this software?

Simple E Banking System by Fabian

View all CVEs affecting Simple E Banking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized access to sensitive banking data, user credential theft, and potential financial fraud through manipulated transactions.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via POST requests to a public-facing registration endpoint.

🏢 Internal Only: MEDIUM - While less exposed, internal attackers could still exploit this to gain unauthorized access to sensitive banking data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub. Attack requires no authentication and uses simple SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to a different banking system or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries in register.php to prevent SQL injection.

Modify register.php to use prepared statements with parameterized queries instead of direct string concatenation

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious payloads.

Configure WAF to block SQL injection patterns in POST parameters

🧯 If You Can't Patch

Isolate the E-Banking System behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test register.php endpoint with SQL injection payloads in username/password parameters and observe database errors or unexpected behavior.

Check Version:

Check the software version in the application interface or configuration files.

Verify Fix Applied:

Attempt SQL injection attacks after implementing fixes and verify they are blocked without database errors.

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Multiple failed registration attempts with unusual payloads
Database query errors containing user input

Network Indicators:

POST requests to /register.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/register.php" AND (request_body CONTAINS "' OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT *")

📊 Metadata

CVE ID: CVE-2025-11608

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: October 11, 2025

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/lakshayyverma/CVE-Discovery/blob/main/E-Banking%20System%20SQLi.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.327930 Permissions Required,VDB Entry
https://vuldb.com/?id.327930 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.672559 Third Party Advisory,VDB Entry
https://github.com/lakshayyverma/CVE-Discovery/blob/main/E-Banking%20System%20SQLi.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11608, you might also want to check these: