CVE-2025-6907 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Car Rental System, specifically within the /book_car.php file. The vulnerability arises from improper sanitization or validation of the 'fname' parameter, which is directly used in SQL queries. This flaw allows an unauthenticated remote attacker to inject malicious SQL code, potentially leading to unauthorized data access, data modification, or database corruption. The vulnerability does not require any privileges or user interaction to exploit, making it highly accessible to attackers. Although the CVSS 4.0 score is 6.9 (medium severity), the potential impact on confidentiality, integrity, and availability of the backend database is significant. The exploit has been publicly disclosed but no known exploits in the wild have been reported yet. The vulnerability affects only version 1.0 of the Car Rental System, which is a niche product used for managing car rental bookings and customer data. The lack of available patches or mitigations at this time increases the risk for organizations using this software. Attackers could leverage this vulnerability to extract sensitive customer information, manipulate booking records, or disrupt service availability, which could have severe operational and reputational consequences.

For European organizations using the code-projects Car Rental System 1.0, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized disclosure of personal customer data, including names and booking details, violating GDPR and other data protection regulations, potentially resulting in heavy fines and legal repercussions. Integrity of booking and rental records could be compromised, leading to financial losses and operational disruptions. Availability of the rental service could be affected if attackers execute destructive SQL commands or cause database outages. Given the critical nature of the vulnerability and the lack of authentication or user interaction requirements, attackers could automate exploitation attempts, increasing the likelihood of successful breaches. Organizations relying on this software for customer-facing services or internal operations must consider the risk of reputational damage and loss of customer trust in addition to regulatory penalties.

Immediate mitigation steps include implementing input validation and parameterized queries or prepared statements in the /book_car.php file to prevent SQL injection. Organizations should audit their current deployment of the Car Rental System to identify if version 1.0 is in use and isolate affected systems from public internet access where possible. Employing Web Application Firewalls (WAFs) with SQL injection detection rules can provide temporary protection against exploitation attempts. Monitoring and logging database queries for anomalous patterns related to the 'fname' parameter can help detect exploitation attempts early. Since no official patches are currently available, organizations should engage with the vendor or community for updates or consider upgrading to a newer, unaffected version if available. Additionally, conducting regular security assessments and penetration testing focused on input validation can help identify similar vulnerabilities proactively.