CVE-2025-6116 is a SQL Injection vulnerability identified in version 6.2.0 of the Das Parking Management System (停车场管理系统). The vulnerability resides in the API component, specifically within the /IntraFieldVehicle/Search endpoint. The issue arises from improper sanitization or validation of the 'Value' argument, which allows an attacker to inject malicious SQL code. This injection can be performed remotely without any authentication or user interaction, making exploitation relatively straightforward. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have yet been observed in the wild. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the potential for partial impact on confidentiality, integrity, and availability. The attack vector is network-based with low attack complexity and no privileges or user interaction required. The vulnerability affects the confidentiality, integrity, and availability of the backend database, potentially allowing attackers to extract sensitive data, modify records, or disrupt service availability. Given the critical nature of parking management systems in urban infrastructure and commercial facilities, exploitation could lead to operational disruptions and data breaches.

For European organizations using the Das Parking Management System 6.2.0, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive data such as vehicle records, user information, and transaction logs. This could result in privacy violations under GDPR regulations, leading to legal and financial repercussions. Integrity of parking data could be compromised, causing incorrect billing or access control failures, which may disrupt operations and customer trust. Availability impacts could manifest as denial of service if the database is manipulated or corrupted, affecting parking facility operations. Organizations managing critical infrastructure or high-traffic urban parking facilities could face operational downtime, reputational damage, and increased risk of further attacks leveraging compromised systems. The public disclosure of the vulnerability increases the urgency for mitigation to prevent opportunistic attacks.

1. Immediate application of vendor patches or updates once available is critical. Since no patch links are currently provided, organizations should engage with the vendor for timely remediation. 2. Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the /IntraFieldVehicle/Search API endpoint to block malicious payloads. 3. Conduct thorough input validation and sanitization on all user-supplied inputs, especially the 'Value' parameter, using parameterized queries or prepared statements to prevent injection. 4. Monitor logs for unusual query patterns or repeated failed attempts targeting the vulnerable endpoint to detect exploitation attempts early. 5. Restrict network access to the API endpoint to trusted IP ranges where feasible, reducing exposure to external attackers. 6. Perform regular security assessments and penetration testing focused on API endpoints to identify and remediate injection flaws proactively. 7. Educate development and operations teams on secure coding practices and the importance of input validation to prevent similar vulnerabilities in future releases.