CVE-2025-12223 is a vulnerability identified in Bdtask Flight Booking Software versions up to 3.1, specifically within the Package Information Module accessible at the /b2c/package-information endpoint. The flaw allows an attacker to perform unrestricted file uploads remotely without requiring authentication or user interaction. This means malicious actors can upload arbitrary files, including web shells or malware, which can lead to remote code execution, data theft, or full server compromise. The vulnerability is classified with a CVSS 4.0 score of 5.3 (medium severity), reflecting its network attack vector, low complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. The vendor, Bdtask, has not responded to early disclosure attempts, and no official patches or mitigations have been released. Public exploits have surfaced, increasing the likelihood of exploitation. The vulnerability affects critical components of the flight booking system, potentially impacting booking data integrity and availability. Attackers exploiting this flaw could manipulate booking information, disrupt services, or gain persistent access to backend systems. The lack of vendor response and patch availability heightens the urgency for organizations to implement compensating controls.

For European organizations, particularly those in the travel and airline sectors using Bdtask Flight Booking Software, this vulnerability poses significant risks. Successful exploitation could lead to unauthorized access to sensitive customer data, including personal and payment information, resulting in data breaches and regulatory non-compliance under GDPR. Service disruption could affect booking operations, causing financial losses and reputational damage. The ability to upload arbitrary files remotely without authentication increases the risk of server takeover, enabling attackers to deploy ransomware or pivot within the network. Given the strategic importance of the travel industry in Europe and the interconnected nature of booking systems, exploitation could have cascading effects on partners and customers. Additionally, the absence of vendor patches means organizations must rely on internal mitigations, increasing operational burden and risk exposure.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Restricting file upload functionality by implementing strict server-side validation and whitelisting allowed file types and sizes; 2) Deploying web application firewalls (WAFs) with custom rules to detect and block suspicious upload attempts targeting the /b2c/package-information endpoint; 3) Isolating the affected module within a segmented network zone to limit lateral movement if compromised; 4) Monitoring logs and network traffic for anomalous activities related to file uploads or unexpected web shell behavior; 5) Applying principle of least privilege to the web server and application processes to minimize impact if exploited; 6) Conducting regular security assessments and penetration testing focused on file upload mechanisms; 7) Preparing incident response plans specific to web server compromise scenarios; 8) Engaging with Bdtask or third-party security vendors for potential patches or updates; 9) Considering temporary suspension or replacement of the vulnerable software component if feasible until a patch is released.