A critical SQL Injection vulnerability, identified as CVE-2025-63452, has been discovered in Car-Booking-System-PHP v.1.0, which may be a component in multiple products. This flaw allows an unauthenticated attacker to execute arbitrary SQL commands against the application's database, potentially leading to a complete compromise of sensitive data, including user credentials and personal information.

This vulnerability is a classic SQL Injection flaw located in the /carlux/forgot-pass.php script. An unauthenticated remote attacker can exploit this by sending specially crafted input, likely through a form field on the password reset page. Because the application fails to properly sanitize this user-supplied input before using it in a database query, the attacker can inject malicious SQL commands to manipulate the query's logic, bypass security controls, and interact directly with the database.

This vulnerability is rated as critical severity with a CVSS score of 9.4. Successful exploitation could have a severe and direct impact on the business. An attacker could exfiltrate the entire database, leading to a major data breach of sensitive customer information, user credentials, and booking details. This could result in significant reputational damage, loss of customer trust, regulatory fines (e.g., GDPR, CCPA), and financial losses associated with incident response and potential fraud. If the database service account has excessive privileges, the attacker could potentially escalate their attack to compromise the underlying server.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor. Organizations must identify all instances of the affected software and update the Unknown Multiple Products to the latest version. In parallel, security teams should immediately begin monitoring for exploitation attempts and review historical access logs for any signs of compromise targeting the vulnerable file.

Proactive Monitoring: Monitor web server and application logs for suspicious requests to the /carlux/forgot-pass.php endpoint. Specifically, look for common SQL injection payloads (e.g., single quotes, UNION SELECT, --, SLEEP()) in the parameters of POST or GET requests. A Web Application Firewall (WAF) should be configured to detect and block SQL injection attack patterns.

Compensating Controls: If patching is not immediately feasible, implement the following controls to mitigate risk:

• Deploy a WAF rule to specifically block malicious requests targeting the /carlux/forgot-pass.php script.
• If possible, temporarily disable the password reset functionality until a patch can be applied.
• At the code level, implement parameterized queries (prepared statements) to prevent user input from being interpreted as SQL commands.

Public Exploit Available: false

Given the critical CVSS score of 9.4 and the potential for a complete data compromise from an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize identifying and patching all affected systems without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high severity and the ease of exploitation make it a prime target for opportunistic attackers. If patching is delayed, compensating controls such as WAF rules must be implemented as an urgent interim measure.