CVE-2025-12223 identifies an unrestricted file upload vulnerability in Bdtask Flight Booking Software versions 3.0 and 3.1, specifically within the Package Information Module accessed via the /b2c/package-information endpoint. This flaw allows remote attackers to upload arbitrary files without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability arises from insufficient validation or restrictions on uploaded file types and content, enabling attackers to potentially upload malicious scripts or executables. Exploitation could lead to remote code execution, unauthorized access, or system compromise, threatening confidentiality, integrity, and availability of affected systems. The CVSS score of 5.3 (medium) reflects the moderate impact and ease of exploitation without user interaction but requiring low privileges. The vendor has not issued any patches or responded to disclosure attempts, and while no active exploitation is currently known, the public availability of the exploit increases risk. The affected software is used in flight booking environments, which handle sensitive customer data and critical business operations, making this vulnerability significant for organizations relying on this product.

For European organizations, exploitation of this vulnerability could result in unauthorized access to sensitive customer information, including personal and payment data, leading to privacy violations and regulatory non-compliance (e.g., GDPR). Attackers could deploy web shells or malware, causing service disruptions or enabling lateral movement within networks. This could damage the reputation of travel agencies and airlines using the software, potentially causing financial losses and operational downtime. Given the critical role of flight booking systems in the travel sector, disruptions could cascade to affect customer trust and business continuity. The medium severity rating suggests a moderate but tangible risk, especially in environments lacking compensating controls. The absence of vendor patches necessitates proactive defensive measures to mitigate potential exploitation.

Organizations should immediately implement strict file upload validation controls, including whitelisting allowed file types, enforcing file size limits, and scanning uploads for malware. Network segmentation should isolate the flight booking software from critical infrastructure to limit attacker movement. Employ web application firewalls (WAFs) to detect and block suspicious upload attempts targeting the /b2c/package-information endpoint. Monitor logs for unusual activity related to file uploads and access patterns. Restrict privileges of the application process to minimize impact if exploited. Consider deploying virtual patching or compensating controls until an official patch is released. Engage with the vendor for updates and track threat intelligence sources for emerging exploit activity. Conduct regular security assessments and penetration tests focused on file upload mechanisms.