CVE-2025-6117 is a SQL Injection vulnerability identified in version 6.2.0 of the Das Parking Management System (停车场管理系统), specifically within the API endpoint /Reservations/Search. The vulnerability arises from improper sanitization or validation of the 'Value' argument, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been observed in the wild to date. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low attack complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated as low individually but collectively significant due to the potential for data leakage or disruption of parking management services. The vulnerability affects an essential component of the system that handles reservation searches, which is likely critical for operational continuity in parking facilities using this software.

For European organizations utilizing the Das Parking Management System 6.2.0, this vulnerability poses a risk of unauthorized access to sensitive reservation and customer data, potentially including personally identifiable information (PII) and payment details. Exploitation could lead to data breaches, undermining customer trust and violating data protection regulations such as GDPR. Additionally, attackers could manipulate reservation data, causing operational disruptions in parking services, leading to financial losses and reputational damage. Given that parking management systems often integrate with broader facility management and security infrastructure, a successful attack could serve as a foothold for lateral movement within organizational networks. The public disclosure of the vulnerability increases the urgency for mitigation to prevent opportunistic attacks. Although no active exploitation is reported, the ease of remote exploitation without authentication elevates the threat level for organizations relying on this system.

Organizations should immediately assess their deployment of Das Parking Management System version 6.2.0 and prioritize upgrading to a patched version once available from the vendor. In the absence of an official patch, implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting the /Reservations/Search API endpoint. Conduct thorough input validation and sanitization on all user-supplied inputs, particularly the 'Value' parameter, to prevent injection attacks. Employ database-level protections such as the use of parameterized queries or prepared statements if customization or internal development is possible. Monitor application logs and network traffic for unusual query patterns or spikes in API requests that could indicate exploitation attempts. Additionally, restrict network access to the API endpoint to trusted IPs or through VPNs where feasible, reducing exposure to external attackers. Regularly review and update incident response plans to include scenarios involving SQL injection attacks on critical infrastructure components.