CVE-2025-12222 is a vulnerability identified in Bdtask Flight Booking Software up to version 3.1, specifically within the Deposit Handler component located at /admin/transaction/deposit. The flaw allows an attacker to perform unrestricted file uploads remotely without requiring authentication or user interaction. This means an attacker can upload arbitrary files, potentially including malicious scripts or web shells, which can then be executed on the server. The vulnerability arises from insufficient validation or restrictions on uploaded files, enabling attackers to bypass security controls. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is low to limited but can escalate if the uploaded files are leveraged for further compromise such as remote code execution or data exfiltration. The vendor was notified early but has not responded or issued patches, and the exploit details have been publicly disclosed, increasing the risk of exploitation. No known exploits in the wild have been confirmed yet, but the public disclosure and lack of vendor mitigation elevate the threat level. This vulnerability primarily affects organizations using Bdtask Flight Booking Software versions 3.0 and 3.1, which may be deployed in travel agencies, airlines, or booking platforms.

The unrestricted file upload vulnerability can lead to significant security risks including unauthorized remote code execution, server takeover, data breaches, and disruption of flight booking services. Attackers could upload web shells or malware to gain persistent access, manipulate booking data, or pivot to internal networks. This can result in loss of customer trust, financial damage, regulatory penalties, and operational downtime. Since the vulnerability requires no authentication and no user interaction, it is easily exploitable remotely, increasing the attack surface. Organizations relying on Bdtask Flight Booking Software are at risk of targeted attacks, especially those handling sensitive customer and payment information. The absence of vendor patches and public exploit availability further exacerbates the potential impact, making timely mitigation critical to prevent compromise.

Given the lack of official patches, organizations should implement immediate compensating controls. These include restricting access to the /admin/transaction/deposit endpoint via network segmentation or firewall rules to trusted IPs only. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious file upload patterns or file types. Conduct thorough monitoring and logging of file upload activities to detect anomalies. Disable or restrict file upload functionality if not essential. Regularly audit the server for unauthorized files or web shells. If possible, upgrade to a newer, patched version of the software once available. Additionally, implement strict input validation and file type verification on the server side. Organizations should also prepare incident response plans to quickly address any exploitation attempts. Engaging with the vendor for updates or considering alternative software solutions may be necessary for long-term security.