CVE-2025-7606 is a SQL Injection vulnerability identified in version 1.0 of the AVL Rooms application developed by code-projects. The vulnerability exists in the /city.php file, specifically through the manipulation of the 'city' parameter. An attacker can remotely exploit this flaw without requiring authentication or user interaction, by injecting malicious SQL code into the 'city' argument. This can lead to unauthorized access or modification of the backend database, potentially exposing sensitive data or enabling further attacks such as data exfiltration, privilege escalation, or denial of service. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting that while the attack vector is network-based and requires no privileges or user interaction, the impact on confidentiality, integrity, and availability is limited to low levels. No official patches or fixes have been published yet, and no known exploits are currently observed in the wild, although public disclosure of the exploit details increases the risk of exploitation.

For European organizations using AVL Rooms 1.0, this vulnerability poses a risk of unauthorized database access and potential data breaches. Given that the attack can be launched remotely without authentication, any exposed AVL Rooms installations could be targeted by attackers to extract sensitive customer or operational data, manipulate booking or room information, or disrupt service availability. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and operational disruptions. The medium severity score suggests the impact is moderate, but the ease of exploitation and public availability of exploit code increase the urgency for mitigation. Organizations in sectors such as hospitality, real estate, or property management using this software in Europe should be particularly vigilant.

Since no official patches are currently available, European organizations should immediately implement the following mitigations: 1) Apply input validation and sanitization on the 'city' parameter to block malicious SQL code, using parameterized queries or prepared statements where possible. 2) Restrict external access to the /city.php endpoint via network controls such as firewalls or VPNs to limit exposure. 3) Monitor web application logs for unusual or suspicious requests targeting the 'city' parameter indicative of injection attempts. 4) Employ Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting this endpoint. 5) Plan for prompt upgrade or patch deployment once an official fix is released by the vendor. 6) Conduct security audits and penetration testing focused on SQL injection vulnerabilities in AVL Rooms installations.