A critical vulnerability has been identified in the code-projects Simple Car Rental System, assigned CVE-2025-60306 with a CVSS score of 9.9. This flaw allows a user with low-level access to illegitimately gain full administrative privileges, potentially leading to a complete system compromise. Successful exploitation could result in significant data theft, operational disruption, and unauthorized control over the affected application.

This vulnerability is a permission bypass, also known as a privilege escalation flaw. An authenticated attacker with low-privilege access can exploit a weakness in the application's session management mechanism. By manipulating session data, such as cookies or tokens, the attacker can forge a new session that the system incorrectly validates as belonging to a high-privilege user, such as an administrator. This grants the attacker full administrative rights, allowing them to perform sensitive operations like accessing all user data, modifying system configurations, and deleting records.

The business impact of this vulnerability is critical, as reflected by its CVSS score of 9.9. An attacker who successfully exploits this flaw gains complete control over the application, equivalent to that of an administrator. This can lead to severe consequences, including the theft of sensitive customer and business data, financial loss through fraudulent modifications, and significant reputational damage. Furthermore, a compromised system could be used as a pivot point to launch further attacks against the organization's internal network, posing a broader security risk.

Immediate Action: Organizations must immediately update the code-projects Simple Car Rental System to the latest version provided by the vendor to patch this vulnerability. Due to the critical nature of this flaw, this action should be prioritized for all instances of the software, especially those accessible from the internet.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes reviewing application and web server access logs for unusual administrative activities originating from non-administrative user accounts or IP addresses. Specifically, look for multiple failed login attempts followed by a successful administrative login from the same source, or any access to administrative functions by users who should not have those permissions.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Restrict network access to the application's administrative interface to a limited set of trusted IP addresses.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block session manipulation and privilege escalation attempts.
• Temporarily disable low-privilege user accounts if they are not essential for business operations until patching is complete.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) of this vulnerability, we strongly recommend that organizations take immediate action. The ability for a low-privilege user to gain full administrative control presents a direct and severe threat to confidentiality, integrity, and availability. All affected instances of the Simple Car Rental System should be patched immediately, with internet-facing systems being the top priority. Although this CVE is not currently on the CISA KEV list, its high impact makes it a prime candidate for future inclusion, and it should be treated with the highest urgency.