CVE-2025-2655 identifies a SQL injection vulnerability in SourceCodester AC Repair and Services System version 1.0, specifically in the save_users and delete_users functions located in the /classes/Users.php file. The vulnerability arises from improper sanitization of the ID parameter, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This can lead to unauthorized access, modification, or deletion of database records, potentially compromising the confidentiality, integrity, and availability of the system's data. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L) and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is low to limited (VC:L, VI:L, VA:L), resulting in a CVSS 4.0 base score of 6.9, categorized as medium severity. Although no known exploits are currently active in the wild, the availability of public exploit code increases the risk of exploitation. The vulnerability may also affect other parameters beyond ID, indicating a broader input validation issue. The affected product is niche software used for managing AC repair and services, which may limit the scope but still poses a risk to organizations relying on it for operational management. No official patches or fixes have been linked yet, so mitigation requires manual intervention such as input validation and use of parameterized queries.

For European organizations using SourceCodester AC Repair and Services System 1.0, this vulnerability could lead to unauthorized access to sensitive customer and operational data, manipulation or deletion of user records, and potential disruption of service management workflows. This may result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR), and operational downtime. Since the exploit can be initiated remotely without authentication, attackers could leverage this vulnerability to gain footholds in internal networks or pivot to other systems. The impact is particularly significant for small to medium enterprises in the HVAC and repair service sectors that rely on this software for customer and service management. Additionally, compromised data integrity could affect billing, scheduling, and service quality, leading to financial and reputational damage.

1. Immediately implement input validation and sanitization on all user-supplied parameters, especially the ID parameter in save_users and delete_users functions. 2. Refactor the vulnerable functions to use parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. 4. Monitor logs for unusual database queries or access patterns indicative of exploitation attempts. 5. If possible, isolate the affected application in a segmented network zone to reduce lateral movement risk. 6. Engage with the vendor or community to obtain or develop official patches or updates. 7. Conduct a thorough code review of other input handling functions to identify and remediate similar vulnerabilities. 8. Educate developers and administrators on secure coding practices and the importance of input validation. 9. Consider deploying Web Application Firewalls (WAF) with rules to detect and block SQL injection attempts targeting this application. 10. Prepare incident response plans specific to potential exploitation scenarios involving this vulnerability.