CVE-2025-6122 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Restaurant Order System, specifically within the /table.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring user interaction or authentication, by injecting crafted SQL statements through the 'ID' argument. This can lead to unauthorized access to the backend database, potentially allowing the attacker to read, modify, or delete sensitive data related to restaurant orders, tables, or customer information. Although the exact database schema and extent of the affected queries are unspecified, SQL Injection vulnerabilities generally pose risks to confidentiality, integrity, and availability of data. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the vulnerability's remote exploitability and lack of required user interaction, but limited privileges (PR:L) and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No public exploit is currently known to be actively used in the wild, but the exploit details have been disclosed publicly, increasing the risk of future exploitation. No patches or fixes have been linked or published yet, indicating that affected systems remain vulnerable until remediation is applied. The vulnerability affects only version 1.0 of the product, which is a niche restaurant order management system, likely deployed in small to medium hospitality businesses. The lack of authentication requirement and remote attack vector make this vulnerability particularly dangerous for exposed web servers running this software without adequate network protections.

For European organizations, especially those in the hospitality sector using the code-projects Restaurant Order System 1.0, this vulnerability could lead to unauthorized data breaches involving customer orders, payment details, and internal restaurant operations. Compromise of database integrity could disrupt order processing, leading to operational downtime and financial losses. Confidential customer data exposure could result in regulatory penalties under GDPR, reputational damage, and loss of customer trust. Given the medium CVSS score but critical classification by the vendor, organizations should consider the potential for escalation if attackers combine this vulnerability with other weaknesses. The lack of authentication and remote exploitability increases the attack surface, particularly for restaurants with internet-facing order systems. Additionally, attackers could leverage SQL Injection to pivot within the network, potentially accessing other internal systems if network segmentation is weak. The impact is more pronounced for organizations lacking robust database security controls or network defenses.

1. Immediate mitigation should include restricting external access to the /table.php endpoint by implementing network-level controls such as firewalls or web application firewalls (WAFs) configured to detect and block SQL Injection patterns targeting the 'ID' parameter. 2. Apply input validation and parameterized queries or prepared statements in the application code to sanitize the 'ID' parameter, preventing injection of malicious SQL commands. Since no official patch is currently available, organizations should review and modify the source code if accessible. 3. Conduct thorough code audits and penetration testing focusing on SQL Injection vectors in the Restaurant Order System, especially on all user-supplied inputs. 4. Monitor database logs and web server logs for unusual query patterns or repeated failed attempts that may indicate exploitation attempts. 5. Segregate the database server from the internet and limit database user privileges to the minimum necessary to reduce the impact of a successful injection. 6. If possible, replace or upgrade the vulnerable software to a newer, patched version once available. 7. Educate staff about the risks of SQL Injection and ensure that security best practices are integrated into the software development lifecycle for any customizations or future deployments.