CVE-2025-12223 is a vulnerability identified in Bdtask Flight Booking Software up to version 3.1, specifically in the Package Information Module located at /b2c/package-information. The vulnerability allows an attacker to perform unrestricted file uploads remotely without requiring authentication or user interaction. This means an attacker with low privileges can upload arbitrary files, potentially including malicious scripts or executables, which can lead to remote code execution, data manipulation, or system compromise. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with attack vector network (remote), low attack complexity, no privileges required, and no user interaction needed. The vendor was notified early but has not issued any patches or advisories, and the exploit code is publicly available, increasing the risk of exploitation. The lack of authentication and user interaction requirements combined with unrestricted upload capabilities make this a significant risk for affected organizations. The vulnerability affects versions 3.0 and 3.1 of the software, which is used primarily in flight booking and travel management contexts, making it a critical component for organizations in the travel and tourism sector. No known exploits in the wild have been reported yet, but the public availability of the exploit increases the likelihood of attacks.

The unrestricted upload vulnerability can lead to several impactful consequences for organizations using Bdtask Flight Booking Software. Attackers can upload malicious files such as web shells or scripts, enabling remote code execution and full system compromise. This threatens confidentiality by allowing unauthorized access to sensitive customer and booking data. Integrity is at risk as attackers may alter booking information or system configurations. Availability could be affected if attackers deploy ransomware or disrupt services. The vulnerability's remote exploitability without authentication lowers the barrier for attackers, increasing the attack surface. Organizations relying on this software for critical booking operations may face operational disruptions, reputational damage, and regulatory compliance issues, especially in regions with strict data protection laws. The lack of vendor response and patches exacerbates the risk, potentially leading to targeted attacks or widespread exploitation once threat actors incorporate the exploit into their toolkits.

Given the absence of official patches, organizations should implement immediate compensating controls. First, restrict file upload functionality by enforcing strict server-side validation to allow only safe file types and sizes. Implement whitelist-based file type checks and scan uploaded files for malware. Configure the web server to store uploaded files outside the web root or in directories with no execute permissions to prevent execution of malicious files. Employ web application firewalls (WAFs) to detect and block suspicious upload attempts and anomalous traffic patterns targeting the vulnerable endpoint. Monitor logs for unusual activity related to /b2c/package-information and set up alerts for file upload anomalies. Limit access to the upload functionality to trusted users or IP addresses where possible. Regularly back up critical data and maintain incident response plans to quickly address any compromise. Engage with the vendor for updates and consider migrating to alternative software if no timely patch is forthcoming.