A critical SQL Injection vulnerability, identified as CVE-2025-63451, has been discovered in the Car-Booking-System-PHP component. This flaw allows an unauthenticated attacker to execute malicious database commands through the sign-in page, potentially leading to a complete compromise of the system, theft of sensitive user data, and unauthorized access to the application.

This vulnerability is a classic SQL Injection that exists in the /carlux/sign-in.php script. The application fails to properly sanitize user-supplied input, likely within the username or password fields on the login form. An unauthenticated remote attacker can submit specially crafted SQL statements to these fields, which are then executed directly by the backend database. Successful exploitation could allow an attacker to bypass authentication, exfiltrate the entire contents of the database (including user credentials, personal information, and booking data), modify or delete data, and in some configurations, achieve remote code execution on the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the organization. Successful exploitation could lead to a severe data breach, exposing sensitive customer and business information. The potential consequences include major financial losses from fraud or remediation costs, severe reputational damage, loss of customer trust, and potential regulatory fines for non-compliance with data protection standards. A full system compromise could also lead to prolonged operational downtime and disruption of business services.

Immediate Action: Organizations must immediately identify all systems running the vulnerable Car-Booking-System-PHP component and apply the patches provided by the vendor. The primary remediation is to update all affected products to the latest secure version. After patching, monitor systems for any signs of post-compromise activity and review historical access logs for indicators of exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring of web server and database logs. Specifically, scrutinize requests to /carlux/sign-in.php for common SQL injection patterns (e.g., UNION, SELECT, ' OR '1'='1') and malformed queries in database logs. Configure Intrusion Detection/Prevention Systems (IDS/IPS) and Web Application Firewalls (WAF) to alert on and block SQL injection signatures targeting the affected path.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with strict rules to filter malicious SQL queries targeting the sign-in page.
• Restrict network access to the affected application to only trusted IP ranges, if possible.
• Ensure the database account used by the application operates with the principle of least privilege, limiting an attacker's ability to escalate access or cause damage.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we recommend immediate and decisive action. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for complete system compromise by an unauthenticated attacker makes it a top-tier threat. Organizations must prioritize the immediate identification of all affected assets and apply the vendor-supplied updates without delay. If patching is delayed, compensating controls such as a WAF must be implemented as a matter of urgency to prevent a potentially catastrophic security breach.