PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-34162 Feijiu Medical Technology Co., Ltd. CVE debrief

An unauthenticated SQL injection vulnerability in the Bian Que Feijiu Intelligent Emergency and Quality Control System allows attackers to execute arbitrary SQL commands via the strOpid parameter in the GetLyfsByParams endpoint. The vulnerability resides in the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface and was first observed in active exploitation by the Shadowserver Foundation on 2025-07-23 UTC. The issue affects builds released prior to June 2025, with remediation available in newer versions. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impacts on confidentiality, integrity, and availability of subsequent systems.

Vendor
Feijiu Medical Technology Co., Ltd.
Product
Bian Que Feijiu Intelligent Emergency and Quality Control System
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-27
Original CVE updated
2026-05-26
Advisory published
2025-08-27
Advisory updated
2026-05-26

Who should care

Healthcare organizations using Bian Que Feijiu Intelligent Emergency and Quality Control System; medical device security teams; incident response teams in healthcare sectors; database administrators managing backend systems for emergency medical platforms

Technical summary

The GetLyfsByParams endpoint in /AppService/BQMedical/WebServiceForFirstaidApp.asmx fails to sanitize user-supplied input in the strOpid parameter, enabling unauthenticated SQL injection. Attackers can inject arbitrary SQL statements leading to data exfiltration, authentication bypass, and potential remote code execution depending on backend database configuration and privileges. The vulnerability is exploitable remotely without authentication, with low attack complexity. Active exploitation was confirmed by Shadowserver Foundation observations beginning 2025-07-23 UTC.

Defensive priority

critical

Recommended defensive actions

  • Apply vendor patches for builds released June 2025 or later
  • Restrict network access to /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface
  • Implement Web Application Firewall rules to detect SQL injection patterns in strOpid parameter
  • Monitor logs for anomalous queries to GetLyfsByParams endpoint
  • Conduct database activity monitoring for unauthorized schema access or data exfiltration attempts

Evidence notes

CVE published 2025-08-27; exploitation evidence first observed 2025-07-23 UTC per Shadowserver Foundation. Vendor identification remains uncertain with low confidence based on reference domain candidate 'Ivtbq'. NVD status is 'Deferred'. CVSS 4.0 vector provided in source metadata.

Official resources

2025-08-27