CVE-2025-2391 – A critical SQL injection vulnerability in Blood... (How to Fix)

Q: What is the severity of CVE-2025-2391?

CVE-2025-2391 has a CVSS score of 7.3 (HIGH). A critical SQL injection vulnerability in Blood Bank Management System 1.0 allows attackers to execute arbitrary SQL commands via the admin login page. This can lead to authentication bypass, data theft, or complete system compromise. Organizations using this specific version are affected.

📋 TL;DR

A critical SQL injection vulnerability in Blood Bank Management System 1.0 allows attackers to execute arbitrary SQL commands via the admin login page. This can lead to authentication bypass, data theft, or complete system compromise. Organizations using this specific version are affected.

💻 Affected Systems

Products:

Blood Bank Management System

Versions: 1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /admin/admin_login.php file specifically. Any deployment of version 1.0 is vulnerable.

📦 What is this software?

Blood Bank Management System by Fabian

View all CVEs affecting Blood Bank Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation to admin, and potential remote code execution on the underlying server.

🟠

Likely Case

Authentication bypass allowing unauthorized admin access, followed by data manipulation or extraction of sensitive blood bank records.

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Implement Input Validation

all

Add parameterized queries or prepared statements to admin_login.php to prevent SQL injection.

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting /admin/admin_login.php.

🧯 If You Can't Patch

Restrict network access to the admin interface using firewall rules or VPN.
Implement strong authentication mechanisms and monitor for unusual login attempts.

🔍 How to Verify

Check if Vulnerable:

Check if the system is running Blood Bank Management System version 1.0 and inspect /admin/admin_login.php for SQL injection vulnerabilities.

Check Version:

Check the software documentation or configuration files for version information.

Verify Fix Applied:

Test the admin login page with SQL injection payloads to ensure they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts with SQL payloads

Network Indicators:

HTTP requests to /admin/admin_login.php containing SQL keywords like UNION, SELECT, or DROP

SIEM Query:

source="web_logs" AND uri="/admin/admin_login.php" AND (payload="UNION" OR payload="SELECT" OR payload="DROP")

📊 Metadata

CVE ID: CVE-2025-2391

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.13% exploit probability (32.1th percentile)

Published: March 17, 2025

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/intercpt/XSS1/blob/main/SQL10.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.299890 Permissions Required,VDB Entry
https://vuldb.com/?id.299890 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.516910 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2391, you might also want to check these: