CVE-2025-13123 is a SQL injection vulnerability identified in AMTT Hotel Broadband Operation System version 1.0, specifically in the /user/portal/get_firstdate.php endpoint. The vulnerability arises from improper sanitization of the 'uid' parameter, allowing an attacker to inject malicious SQL queries. This injection flaw permits remote exploitation without requiring authentication or user interaction, increasing its risk profile. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to limited impact on confidentiality, integrity, and availability and the requirement of low privileges (PR:L). The vendor was notified but has not issued any patches or advisories, and while a proof-of-concept exploit has been published, no active exploitation has been observed in the wild. Exploiting this vulnerability could enable attackers to extract sensitive information, modify database contents, or disrupt broadband operation services within hotel environments. Given the nature of the product—hotel broadband management systems—successful exploitation could compromise guest data, billing information, or network access controls. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls. This vulnerability highlights the critical need for secure coding practices, especially input validation and parameterized queries, in web-facing hotel management systems.

For European organizations, particularly hotels and hospitality providers using the AMTT Hotel Broadband Operation System, this vulnerability poses a risk to the confidentiality and integrity of guest and operational data. Exploitation could lead to unauthorized access to sensitive customer information, manipulation of billing or network access records, and potential disruption of broadband services offered to guests. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses. Since the vulnerability can be exploited remotely without authentication, attackers could target hotels from anywhere, increasing the attack surface. The impact is heightened in countries with large tourism sectors and many hotels using this system. Additionally, compromised hotel broadband systems could be leveraged as pivot points for broader network intrusions within hotel IT infrastructure.

Until an official patch is released by AMTT, European hotels should implement the following mitigations: 1) Deploy web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the uid parameter in /user/portal/get_firstdate.php. 2) Restrict external access to the broadband operation system interface by implementing network segmentation and VPN access controls, limiting exposure to trusted personnel only. 3) Conduct thorough input validation and sanitization on all user-supplied parameters at the network gateway or proxy level if possible. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Perform regular security assessments and penetration tests focusing on this system to identify exploitation attempts. 6) Engage with AMTT for updates and consider alternative broadband management solutions if the vendor remains unresponsive. 7) Educate IT staff on this vulnerability and ensure incident response plans include steps for SQL injection attacks.