CVE-2025-12598 identifies a SQL injection vulnerability in SourceCodester Best House Rental Management System version 1.0, specifically in the save_tenant function located in /admin_class.php. The vulnerability arises from improper sanitization or validation of the firstname parameter, allowing an attacker to inject malicious SQL code remotely. This flaw can be exploited without authentication or user interaction, increasing the risk of unauthorized database access or manipulation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability does not affect system confidentiality, integrity, or availability completely but can lead to significant data exposure or modification. Although no official patch has been released, a public exploit exists, which raises the risk of exploitation. The vulnerability could allow attackers to extract sensitive tenant information, alter rental records, or disrupt system operations, impacting business continuity and data privacy. The lack of authentication requirements and remote exploitability make this a notable risk for organizations using this software in their property management workflows.

For European organizations, this vulnerability poses a moderate risk to the confidentiality, integrity, and availability of tenant and rental data managed by the affected system. Unauthorized access to tenant information could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Data manipulation could disrupt rental operations, causing financial losses and operational downtime. The remote exploitability without authentication increases the attack surface, especially for organizations exposing the management system to the internet. Real estate agencies, property management firms, and landlords using this software in Europe could face targeted attacks aiming to extract sensitive personal data or sabotage rental records. The impact is heightened in countries with strict data protection laws and significant rental markets, where data breaches can have severe legal and financial consequences.

Organizations should immediately review their deployment of SourceCodester Best House Rental Management System version 1.0 and restrict external access to the affected application, ideally isolating it behind VPNs or internal networks. Implement input validation and sanitization on all user-supplied data, particularly the firstname parameter in the save_tenant function. Where possible, modify the source code to use parameterized queries or prepared statements to eliminate SQL injection risks. Monitor network traffic for suspicious activity targeting the /admin_class.php endpoint. Conduct regular security assessments and code reviews to identify similar injection points. If a patch becomes available from the vendor, prioritize its deployment. Additionally, enforce strict access controls and logging to detect and respond to potential exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with custom rules to block SQL injection payloads targeting this vulnerability.