CVE-2025-8374 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Vehicle Management software. The vulnerability resides in the /addcompany.php script, specifically in the handling of the 'company' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended database queries. This can lead to unauthorized access, data leakage, data modification, or even complete compromise of the underlying database. The vulnerability requires no authentication or user interaction, making it accessible to any remote attacker. The CVSS 4.0 score is 6.9, indicating a medium severity level, with network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of available patches or mitigations from the vendor further exacerbates the threat. SQL Injection vulnerabilities are among the most critical web application security issues, often leading to severe consequences if exploited.

For European organizations using code-projects Vehicle Management 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their vehicle management data. Exploitation could allow attackers to extract sensitive company information, modify records, or disrupt business operations. Given that vehicle management systems often integrate with logistics, fleet tracking, and maintenance scheduling, a successful attack could result in operational downtime, financial losses, and reputational damage. Additionally, compromised data could lead to regulatory non-compliance under GDPR, resulting in legal penalties. The remote and unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially if organizations have exposed the affected application to the internet without adequate protections.

Organizations should immediately conduct an inventory to identify any deployments of code-projects Vehicle Management version 1.0. If found, they should isolate the affected systems from public networks until a patch or official fix is available. In the absence of vendor patches, applying web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'company' parameter in /addcompany.php can provide temporary protection. Code review and manual sanitization or parameterization of SQL queries in the affected script should be prioritized by development teams. Additionally, organizations should implement strict input validation and employ least privilege principles for database accounts used by the application to limit potential damage. Monitoring logs for suspicious activity related to the vulnerable endpoint is also recommended to detect potential exploitation attempts early.