CVE-2025-6118 is a SQL Injection vulnerability identified in version 6.2.0 of the Das Parking Management System (停车场管理系统). The vulnerability resides in the API endpoint /vehicle/search, specifically in the handling of the vehicleTypeCode parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended database queries executed by the system. This could allow unauthorized access to or modification of the backend database. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (each rated low). Although no public exploits have been observed in the wild yet, the vulnerability details have been disclosed publicly, increasing the risk of exploitation attempts. The lack of available patches or mitigations from the vendor at the time of publication further elevates the urgency for affected organizations to implement protective measures. The vulnerability does not involve scope changes or supply chain components, and the attack vector is network-based, making it accessible to remote attackers without prior access to the system.

For European organizations using the Das Parking Management System 6.2.0, this vulnerability poses a risk of unauthorized database access or manipulation. Given that parking management systems often handle sensitive data such as vehicle registration details, user information, and payment records, exploitation could lead to data leakage or corruption. This may result in privacy violations, regulatory non-compliance (e.g., GDPR), and operational disruptions in parking services. Although the CVSS score suggests medium severity, the criticality of the affected system in urban infrastructure and commercial facilities could amplify the impact. Attackers could leverage the vulnerability to extract sensitive data or alter records, potentially causing financial loss or reputational damage. The remote and unauthenticated nature of the exploit increases the attack surface, especially for organizations exposing the API endpoint to public or semi-public networks. The absence of known exploits in the wild currently limits immediate risk, but the public disclosure means that threat actors may develop exploits rapidly. Organizations relying on this system should consider the potential cascading effects on integrated systems and services that depend on accurate parking data.

1. Immediate network-level controls: Restrict access to the /vehicle/search API endpoint by implementing IP whitelisting or VPN access to limit exposure to trusted networks only. 2. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block SQL injection patterns targeting the vehicleTypeCode parameter. 3. Input validation and sanitization: If possible, apply strict input validation on vehicleTypeCode to allow only expected values (e.g., predefined codes or numeric ranges) and reject suspicious inputs. 4. Monitoring and logging: Enable detailed logging of API requests and monitor for anomalous query patterns or repeated failed attempts indicative of injection attempts. 5. Vendor engagement: Contact Das for official patches or updates and apply them promptly once available. 6. Segmentation: Isolate the parking management system database from other critical infrastructure to limit lateral movement in case of compromise. 7. Incident response readiness: Prepare to respond to potential data breaches or service disruptions by having backup and recovery plans specific to the parking management system data. 8. Regular security assessments: Conduct penetration testing focused on API endpoints to identify and remediate injection or other vulnerabilities proactively.