CVE-2025-12222 is a vulnerability identified in Bdtask Flight Booking Software versions up to 3.1, specifically within the Deposit Handler component accessed via /admin/transaction/deposit. The issue allows an attacker to upload files without restriction, bypassing any validation or security controls that would normally prevent malicious files from being uploaded. This unrestricted upload capability can be exploited remotely without requiring authentication or user interaction, increasing the attack surface significantly. The vulnerability could enable attackers to upload web shells or other malicious payloads, potentially leading to unauthorized code execution, data leakage, or disruption of service. The CVSS v4.0 base score is 5.3 (medium), reflecting the moderate impact on confidentiality, integrity, and availability, and the ease of exploitation due to no authentication or user interaction requirements. Despite public disclosure and vendor notification, no patches or mitigations have been released, leaving systems exposed. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code may be developed following disclosure. The vulnerability affects critical components of flight booking operations, which are integral to travel and aviation sectors, making it a significant concern for organizations relying on this software.

For European organizations, exploitation of this vulnerability could lead to unauthorized access to internal systems, data breaches involving sensitive customer and transaction data, and potential disruption of flight booking services. The aviation and travel sectors are highly regulated and sensitive to downtime or data compromise, which could result in financial losses, reputational damage, and regulatory penalties under GDPR. Attackers could leverage the unrestricted upload to deploy malware or ransomware, escalate privileges, and move laterally within networks. This is particularly concerning for European airlines, travel agencies, and airport operators using Bdtask Flight Booking Software. The medium severity score indicates a moderate but tangible risk, especially given the lack of vendor response and patch availability. The potential impact on confidentiality, integrity, and availability makes timely mitigation critical to prevent exploitation that could affect customer trust and operational continuity.

Organizations should immediately implement strict file upload validation controls, including whitelisting allowed file types, enforcing file size limits, and scanning uploads for malware. Network segmentation should isolate the flight booking software from critical internal systems to limit lateral movement if compromise occurs. Employ web application firewalls (WAFs) to detect and block suspicious upload attempts targeting /admin/transaction/deposit endpoints. Monitor logs and network traffic for unusual activity indicative of exploitation attempts. If possible, disable or restrict access to the vulnerable Deposit Handler component until a patch is available. Conduct regular security assessments and penetration testing focused on upload functionalities. Engage with Bdtask or third-party security providers for potential custom patches or mitigations. Finally, maintain up-to-date backups and incident response plans tailored to ransomware or web shell scenarios.