A high-severity vulnerability has been discovered in multiple Rental software products, specifically identified in the Simple Car Rental System. If exploited, this flaw could allow a remote, unauthenticated attacker to access, modify, or delete sensitive database information, including customer data and rental records. This poses a significant risk of data breach, service disruption, and financial loss, requiring immediate remediation.

The vulnerability is a SQL Injection flaw. An unauthenticated, remote attacker can exploit this by sending specially crafted SQL queries through user-input fields in the web application. Successful exploitation does not require any special privileges and allows the attacker to bypass security mechanisms to directly interact with the back-end database, enabling them to exfiltrate sensitive data, modify or delete records, and potentially escalate privileges within the application. Although the vendor's description classifies the vulnerability as "critical," the CVSS score of 7.3 formally ranks it as "High" severity.

This vulnerability is rated as High severity with a CVSS score of 7.3. Exploitation could lead to severe business consequences, including a major data breach of customer personally identifiable information (PII) and payment details, resulting in significant reputational damage and potential regulatory fines (e.g., GDPR, CCPA). The ability to modify or delete rental records could disrupt core business operations, cause direct financial loss, and enable fraudulent activity. The compromise of the system's data integrity would undermine customer trust and could lead to prolonged service outages.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. Before deployment to production, patches should be tested in a staging environment to ensure compatibility and stability. Concurrently, security teams should actively monitor for any signs of exploitation attempts by reviewing web server and database access logs for anomalous activity.

Proactive Monitoring: Implement enhanced logging and monitoring focused on detecting SQL injection attempts. Security teams should monitor web application and database logs for suspicious query patterns such as UNION SELECT, 'OR 1=1, and time-based blind injection functions like SLEEP(). Utilize a Web Application Firewall (WAF) to detect and block known SQL injection payloads and monitor for unusual outbound traffic from database servers, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement a WAF with strict rules specifically designed to block SQL injection attacks as a temporary mitigating control. Restrict access to the application from untrusted networks and enforce the principle of least privilege for the application's database service account to limit the potential impact of a successful exploit.

Public Exploit Available: False

Given the High severity (CVSS 7.3) of this vulnerability and its potential for significant data compromise and operational disruption, this issue must be addressed with urgency. The primary and most critical action is to deploy the vendor-provided security patches to all affected systems. Although CVE-2025-7475 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity dictates that it should be treated as a top priority in your organization's patch management cycle to prevent potential exploitation.