CVE Alert: CVE-2025-9473 – SourceCodester – Online Bank Management System

Risk verdict

High risk: publicly disclosed PoC and an automatable SQL injection exploitable without authentication require immediate attention.

Why this matters

An unauthenticated remote attacker can in effect read or alter data via the feedback mechanism in a web-facing financial application. If exploited, sensitive customer data could be leaked or records tampered, undermining trust and regulatory compliance. The presence of a PoC that is automatable increases the chance of rapid mass exploitation.

Most likely attack path

Remote, unauthenticated exploitation via the /feedback.php endpoint using the msg parameter. No user interaction required (UI:N), network access (AV:N), and low precondition (PR:N) mean any internet-connected instance is at risk. The impact to confidentiality, integrity and availability is high, but the scope remains local to the affected application’s DB; successful abuse could enable data exfiltration or modification without broader system compromise.

Who is most exposed

Deployments of SourceCodester Online Bank Management System that are publicly accessible and running on common LAMP stacks, especially self-hosted or lightly secured setups in small businesses or test environments.

Detection ideas

• Unusual requests to feedback.php with suspicious msg payloads (e.g., SQL syntax, tautologies, UNION SELECT).
• DB errors or abnormal query errors reflected in application logs.
• Spike in HTTP 500/SQL-related error codes from the web tier.
• Outbound data volume patterns inconsistent with normal feedback activity.
• WAF logs showing SQL injection signatures targeting /feedback.php.

Mitigation and prioritisation

• Apply vendor patch or upgrade to the fixed version; verify in staging before production.
• Enforce parameterised queries and strict input validation around msg; disable dynamic SQL in this path.
• Implement least-privilege DB accounts and monitor DB activity for anomalous reads/writes.
• Deploy compensating controls: WAF rules for SQLi, input sanitisation, and rate limiting on the endpoint.
• Change-management: test in a staging environment, then roll out in production with monitoring; if KEV true or EPSS ≥ 0.5, treat as priority 1. If patching lags, configure strict access controls and enhanced logging as interim measures.