CVE-2025-13208 identifies a SQL injection vulnerability in the FantasticLBP Hotels Server product, specifically within an unknown function in the controller/api/hotelList.php file. The vulnerability is triggered by manipulating the subjectId or cityName parameters, which are not properly sanitized before being used in SQL queries. This allows remote attackers to inject arbitrary SQL commands, potentially extracting or modifying sensitive data stored in the backend database. The attack vector requires no authentication or user interaction, making it easier to exploit remotely. The product follows a rolling release model, complicating version tracking and patch management. Despite early notification, the vendor has not responded or issued a patch, and a public exploit is available, increasing the threat landscape. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the ease of exploitation and potential impact on confidentiality, integrity, and availability, though privileges required are low and no user interaction is needed. The vulnerability could be leveraged to access customer data, booking information, or disrupt hotel operations, posing significant risks to organizations relying on this software. The lack of vendor support and patch availability necessitates proactive defensive measures by users.

For European organizations, this vulnerability poses a risk of unauthorized access to sensitive customer and booking data, potentially leading to data breaches and violations of GDPR regulations. The integrity of reservation data could be compromised, resulting in fraudulent bookings or cancellations, damaging business operations and reputation. Availability of the Hotels Server could also be affected if attackers exploit the vulnerability to execute destructive SQL commands. Given the public availability of an exploit and absence of vendor patches, attackers may rapidly target vulnerable systems. This is particularly impactful for tourism-dependent economies and hospitality providers in Europe, where customer trust and data protection are critical. Additionally, compromised systems could be used as footholds for broader network intrusion or lateral movement within enterprise environments. The medium severity rating indicates a moderate but tangible risk that requires immediate attention to avoid operational and compliance consequences.

Since no official patch or update is available from the vendor, European organizations should implement immediate compensating controls. These include deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting subjectId and cityName parameters. Input validation and sanitization should be enforced at the application or proxy level to reject suspicious input patterns. Organizations should conduct thorough code reviews and penetration testing to identify and remediate injection points if source code access is available. Network segmentation can limit attacker movement if exploitation occurs. Monitoring and alerting on unusual database queries or application logs can provide early detection of exploitation attempts. Additionally, organizations should prepare incident response plans specific to this vulnerability and consider temporary disabling or restricting access to the affected API endpoint if feasible. Maintaining regular backups of critical data will aid recovery if data integrity is compromised. Finally, organizations should engage with the vendor for updates and track threat intelligence feeds for emerging exploits or patches.