CVE-2025-12597 is a SQL injection vulnerability identified in version 1.0 of the SourceCodester Best House Rental Management System, specifically within the save_category function located in the /admin_class.php file. The vulnerability arises from improper sanitization of the 'Name' parameter, which is directly used in SQL queries, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without requiring user interaction or authentication, making it accessible to attackers with network access to the vulnerable system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H - high privileges required, but the description states no authentication needed, so this may be a discrepancy), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability could allow attackers to read or modify database contents, potentially leading to unauthorized data disclosure, data manipulation, or denial of service. Although no known exploits are currently active in the wild, the public availability of exploit code increases the risk of exploitation. The affected product is niche software used for managing house rental operations, which may be deployed by small to medium property management firms. The lack of official patches at the time of publication necessitates immediate mitigation steps by administrators. The vulnerability highlights the importance of secure coding practices, especially input validation and parameterized queries, to prevent SQL injection attacks.

For European organizations, particularly those in the real estate and property management sectors using the SourceCodester Best House Rental Management System, this vulnerability poses a risk of unauthorized access to sensitive tenant and property data. Exploitation could lead to data breaches involving personally identifiable information (PII), financial details, or contractual information, resulting in regulatory non-compliance under GDPR and potential financial penalties. Additionally, attackers could alter or delete critical data, disrupting rental operations and causing service outages. The remote exploitability without user interaction increases the threat surface, especially for organizations with exposed administrative interfaces. While the impact is rated medium, the potential for data integrity compromise and availability issues could have significant operational and reputational consequences. European entities with limited cybersecurity resources may be particularly vulnerable to exploitation attempts following the public release of exploit code.

1. Immediately restrict network access to the administrative interface of the Best House Rental Management System using firewalls or VPNs to limit exposure. 2. Implement strict input validation and sanitization on all user-supplied data, especially the 'Name' parameter in the save_category function, using allowlists and parameterized queries to prevent SQL injection. 3. Monitor web application logs for unusual or suspicious SQL query patterns indicative of injection attempts. 4. If possible, apply any vendor-provided patches or updates as soon as they become available. 5. Conduct a thorough security review and code audit of the application to identify and remediate other potential injection points. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting this vulnerability. 7. Train administrative users on cybersecurity best practices and the importance of reporting anomalies. 8. Regularly back up databases and verify the integrity of backups to enable recovery in case of data tampering or loss.