CVE-2025-40617 is a critical SQL Injection vulnerability affecting all versions of the Bookgy software, a product used for booking management. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within the PHP script /bkg_seleccionar_hora_ajax.php. Specifically, the parameters "IDTIPO", "IDPISTA", and "IDSOCIO" are susceptible to injection attacks because user-supplied input is not properly sanitized or parameterized before being incorporated into SQL queries. An attacker can exploit this flaw by sending crafted HTTP requests that manipulate these parameters, enabling unauthorized retrieval, creation, modification, or deletion of database records. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network (AV:N). The CVSS 4.0 base score is 9.3, reflecting its critical severity due to high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H), with low attack complexity and no privileges or user interaction required. Although no known exploits are currently observed in the wild, the ease of exploitation and severity make it a significant risk. The lack of available patches at the time of publication further exacerbates the threat. This vulnerability could lead to full compromise of the backend database, potentially exposing sensitive customer data, disrupting booking operations, and enabling attackers to manipulate or erase critical business information.

For European organizations using Bookgy, this vulnerability poses a severe risk to operational continuity and data security. Exploitation could result in unauthorized access to sensitive personal data of customers and employees, violating GDPR and other data protection regulations, leading to legal and financial penalties. The ability to alter or delete booking data could disrupt service availability, causing reputational damage and loss of customer trust. Organizations in sectors such as hospitality, sports facilities, and event management that rely on Bookgy for scheduling and resource allocation are particularly vulnerable. The broad impact on confidentiality, integrity, and availability means that attackers could not only steal data but also sabotage business processes or conduct further lateral movement within the network. Given the critical nature of the vulnerability and the absence of patches, European entities face an urgent need to assess exposure and implement mitigations to prevent potential exploitation.

1. Immediate deployment of Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable parameters (IDTIPO, IDPISTA, IDSOCIO). 2. Conduct thorough input validation and sanitization on all user-supplied data, especially the affected parameters, using parameterized queries or prepared statements to prevent injection. 3. Implement strict network segmentation to isolate the Bookgy application and its database from other critical systems, limiting the blast radius of a potential compromise. 4. Monitor web server and application logs for anomalous HTTP requests containing suspicious SQL syntax or unusual parameter values. 5. Engage with the vendor or community to obtain patches or updates as soon as they become available; if unavailable, consider temporary disabling or restricting access to the vulnerable endpoints. 6. Perform regular security assessments and penetration testing focused on injection vulnerabilities to identify and remediate similar issues proactively. 7. Educate development and operations teams on secure coding practices and the importance of input validation to prevent future injection flaws.