CVE-2025-44203 is a security vulnerability identified in HotelDruid version 3.0.7, a property management system commonly used in the hospitality industry. The vulnerability arises from the handling of verbose SQL error messages in the 'creadb.php' endpoint before the 'create database' button is pressed. An unauthenticated attacker can send malformed POST requests to this endpoint, which triggers detailed SQL error responses. These error messages inadvertently disclose sensitive information, including the administrator's username, password hash, and salt. This exposure allows attackers to potentially perform offline password cracking attacks to recover administrator credentials. Furthermore, exploitation can lead to a Denial of Service (DoS) condition that prevents legitimate administrators from logging in, even with correct credentials. The vulnerability does not require authentication or user interaction, making it accessible to any remote attacker who can reach the affected endpoint. Although no known exploits are currently reported in the wild, the nature of the vulnerability—information disclosure combined with DoS—poses a significant risk to the confidentiality and availability of the affected system. No CVSS score has been assigned yet, and no patches or mitigations have been officially published as of the vulnerability's disclosure date (June 20, 2025).

For European organizations, particularly those in the hospitality sector using HotelDruid 3.0.7, this vulnerability can have severe consequences. The disclosure of administrator credentials compromises the confidentiality and integrity of the system, potentially allowing attackers to gain unauthorized administrative access. This access could lead to manipulation of booking data, financial fraud, or further lateral movement within the organization's network. The DoS aspect can disrupt hotel operations by locking out administrators, impacting availability and service continuity. Given the hospitality industry's reliance on timely and accurate reservation management, such disruptions could result in financial losses and reputational damage. Additionally, the exposure of password hashes and salts increases the risk of credential compromise beyond the affected system if password reuse occurs. The vulnerability's unauthenticated nature and lack of required user interaction increase the likelihood of exploitation, especially in environments where the affected endpoint is exposed to the internet or insufficiently segmented networks.

Organizations should immediately audit their use of HotelDruid 3.0.7 and restrict access to the 'creadb.php' endpoint, ideally limiting it to trusted internal networks or VPNs. Implementing web application firewalls (WAFs) with rules to detect and block malformed POST requests targeting this endpoint can reduce exposure. Administrators should monitor logs for unusual or repeated access attempts to 'creadb.php' and investigate any anomalies. Since no official patch is available, consider deploying temporary application-level mitigations such as disabling verbose SQL error messages or customizing error handling to avoid leaking sensitive information. Passwords should be reset for administrator accounts following any suspected exploitation, and multi-factor authentication (MFA) should be enforced to mitigate the risk of credential compromise. Network segmentation to isolate management interfaces and regular backups of critical data will help reduce the impact of potential DoS conditions. Finally, organizations should stay alert for vendor updates or patches and apply them promptly once available.