CVE-2025-12208 is a SQL injection vulnerability identified in version 1.0 of the SourceCodester Best House Rental Management System, affecting the login2 function within the /admin_class.php file. The vulnerability arises from insufficient sanitization of the Username parameter, allowing an attacker to inject malicious SQL code remotely without authentication or user interaction. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data disclosure, data modification, or even full system compromise depending on the database privileges. The vulnerability is rated with a CVSS 4.0 score of 6.9 (medium severity), reflecting its network exploitability, lack of required privileges, and absence of user interaction, but limited impact scope and vector complexity. Although no known exploits have been observed in the wild, the public disclosure of exploit code increases the likelihood of exploitation attempts. The affected software is used for managing rental properties, which may contain sensitive tenant and financial information, making this vulnerability a significant concern for organizations relying on this system. The lack of an official patch at the time of disclosure necessitates immediate mitigation through secure coding practices and monitoring.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to sensitive tenant data, financial records, and administrative controls within the rental management system. This compromises confidentiality and integrity, potentially resulting in data breaches, fraud, or service disruption. Real estate agencies, property managers, and rental platforms using this software may face reputational damage, regulatory penalties under GDPR for data exposure, and operational downtime. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if attackers automate exploitation attempts. Given the critical role of rental management systems in housing markets, disruption could affect tenant services and business continuity. The medium severity rating suggests moderate but tangible risks that require timely attention to prevent escalation.

European organizations should immediately implement input validation and sanitization on all user-supplied data, especially the Username parameter in the login2 function. Employing parameterized queries or prepared statements to interact with the database will prevent SQL injection attacks. Until an official patch is released, consider deploying web application firewalls (WAFs) with rules targeting SQL injection patterns specific to this vulnerability. Conduct thorough code reviews and security testing on the affected module. Monitor logs for unusual database query patterns or repeated failed login attempts indicative of exploitation attempts. Restrict database user privileges to the minimum necessary to limit potential damage. Engage with the vendor or community for updates on patches or mitigations. Additionally, ensure regular backups of critical data to enable recovery in case of compromise.