CVE-2025-12222 identifies an unrestricted file upload vulnerability in Bdtask Flight Booking Software versions 3.0 and 3.1, specifically within the /admin/transaction/deposit endpoint of the Deposit Handler component. This flaw allows remote attackers to upload arbitrary files without requiring authentication or user interaction, which can lead to remote code execution, data manipulation, or denial of service. The vulnerability arises from insufficient validation and sanitization of uploaded files, enabling attackers to bypass restrictions and place malicious payloads on the server. The vendor was notified early but has not issued a patch or response, increasing the risk exposure. The CVSS 4.0 base score is 5.3 (medium), reflecting the lack of required authentication and low attack complexity, but limited impact on confidentiality, integrity, and availability individually. However, combined, these impacts can be significant if exploited. No known exploits are currently active in the wild, but public disclosure increases the likelihood of future exploitation. The software is used in flight booking systems, which are critical for travel operations and customer data management, making this vulnerability a notable risk for organizations relying on this product.

For European organizations, this vulnerability poses a risk of unauthorized access and control over flight booking platforms, potentially leading to data breaches involving sensitive customer information such as personal identification and payment details. Exploitation could result in service disruption, undermining trust in travel services and causing financial losses. The ability to upload arbitrary files remotely without authentication increases the risk of server compromise, malware deployment, and lateral movement within networks. Given the critical role of flight booking systems in the travel and tourism industry, affected organizations may face regulatory penalties under GDPR if customer data is exposed. Additionally, disruption of booking services could impact operational continuity and customer satisfaction. The medium severity score suggests moderate risk, but the lack of vendor response and public exploit disclosure heightens urgency for European entities to assess and mitigate this threat promptly.

Organizations using Bdtask Flight Booking Software versions 3.0 or 3.1 should immediately implement compensating controls such as network segmentation to isolate the affected application from sensitive internal systems. Apply strict file upload validation by enforcing file type whitelisting, size limits, and scanning uploads for malware. Restrict upload directories with minimal permissions and disable execution rights on these directories to prevent execution of uploaded malicious files. Monitor logs for unusual upload activity and implement intrusion detection systems to detect exploitation attempts. If possible, replace or upgrade the software to a version without this vulnerability once available. In absence of a vendor patch, consider deploying web application firewalls (WAFs) with custom rules to block suspicious upload requests targeting the /admin/transaction/deposit endpoint. Conduct regular security assessments and penetration tests focusing on file upload functionalities. Finally, maintain an incident response plan tailored to potential exploitation scenarios involving this vulnerability.