CVE-2025-40618 is a critical SQL injection vulnerability affecting all versions of the Bookgy application, specifically through the "IDRESERVA" parameter in the /bkg_imprimir_comprobante.php endpoint. This vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing an unauthenticated remote attacker to inject malicious SQL code via crafted HTTP requests. Exploitation does not require any user interaction or authentication, making it highly accessible to attackers. Successful exploitation can lead to full compromise of the backend database, enabling attackers to retrieve, create, update, or delete data arbitrarily. The vulnerability has a CVSS 4.0 base score of 9.3 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges. Although no public exploits have been reported yet, the severity and simplicity of exploitation make it a significant threat. The vulnerability affects the core reservation printing functionality, which likely interacts with sensitive booking and customer data, increasing the risk of data leakage or manipulation. The lack of available patches or mitigations at the time of publication further elevates the urgency for affected organizations to implement protective measures.

For European organizations using Bookgy, this vulnerability poses a severe risk to data confidentiality, integrity, and availability. Attackers could exfiltrate sensitive customer and reservation data, manipulate booking records, or disrupt service availability by deleting or corrupting database contents. This could lead to financial losses, reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Organizations in sectors relying on Bookgy for booking management—such as hospitality, travel agencies, or event management—may experience direct business impact. The ability to exploit this vulnerability remotely without authentication increases the attack surface, potentially enabling widespread attacks if the software is deployed in internet-facing environments. Additionally, compromised systems could be leveraged as pivot points for further network intrusion or ransomware deployment. The absence of known exploits currently provides a window for proactive defense, but the critical severity demands immediate attention to prevent exploitation.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the "IDRESERVA" parameter, focusing on typical injection patterns and anomalous HTTP requests to /bkg_imprimir_comprobante.php. 2) Conduct immediate code reviews and apply input validation and parameterized queries or prepared statements around the vulnerable parameter to neutralize SQL injection vectors. 3) Restrict direct internet exposure of the Bookgy application, placing it behind VPNs or access controls limiting connections to trusted users and networks. 4) Monitor database logs and web server logs for unusual queries or repeated failed attempts that may indicate exploitation attempts. 5) Implement database user privilege restrictions, ensuring the application uses least privilege accounts that limit the scope of SQL commands executable via the vulnerable interface. 6) Prepare incident response plans specifically addressing potential data breaches or service disruptions stemming from this vulnerability. 7) Engage with the vendor or community for updates and patches, and plan for rapid deployment once available.