CVE-2025-34162 CRITICAL

CVE-2025-34162: Bian Que Feijiu Intelligent Emergency and Quality Control System SQL Injection via GetLyfsByParams

Vendor Feijiu Medical Technology Co., Ltd.

Product Bian Que Feijiu Intelligent Emergency and Quality Control System

Weakness CWE-89 · SQLi

Published August 27, 2025

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated SQL injection vulnerability exists in the GetLyfsByParams endpoint of Bian Que Feijiu Intelligent Emergency and Quality Control System, accessible via the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The backend fails to properly sanitize user-supplied input in the strOpid parameter, allowing attackers to inject arbitrary SQL statements. This can lead to data exfiltration, authentication bypass, and potentially remote code execution, depending on backend configuration. The vulnerability is presumed to affect builds released prior to June 2025 and is remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC.

Key dates

02Disclosure timeline

August 27, 2025 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34162

Related vulnerabilities

Identifiers

CVE CVE-2025-34162

CWE CWE-89

CVSS 9.3 / CRITICAL

Affected versions