CVE-2025-8375 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Vehicle Management software. The vulnerability arises from improper handling of the 'vehicle' parameter in the /addvehicle.php endpoint, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without any authentication or user interaction, as the vulnerable parameter is directly manipulable via HTTP requests. The injection can lead to unauthorized access to the backend database, enabling attackers to read, modify, or delete sensitive data stored within the Vehicle Management system. Given the nature of SQL Injection, the attacker could potentially escalate the impact to compromise the entire database server or pivot to other parts of the network. The CVSS 4.0 score is 6.9 (medium severity), reflecting that while the attack vector is network-based and requires no privileges or user interaction, the impact on confidentiality, integrity, and availability is limited to low to moderate levels. The vulnerability is publicly disclosed, but no known exploits are currently observed in the wild. No patches or fixes have been linked yet, indicating that affected organizations must rely on mitigation strategies until an official update is available.

For European organizations using code-projects Vehicle Management 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of vehicle-related data. Compromise of the database could lead to exposure of sensitive information such as vehicle registration details, user data, or operational records. This could result in regulatory non-compliance, especially under GDPR, leading to legal and financial penalties. Additionally, data manipulation could disrupt business operations, causing availability issues or erroneous vehicle management decisions. The remote and unauthenticated nature of the exploit increases the risk of automated attacks or mass scanning campaigns targeting vulnerable installations. Organizations in sectors such as automotive services, fleet management, or government agencies managing vehicle data are particularly at risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future exploitation.

1. Immediate mitigation should include implementing web application firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the /addvehicle.php endpoint, particularly focusing on the 'vehicle' parameter. 2. Conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize and safely handle all user inputs in the affected endpoint. 3. Restrict database user privileges to the minimum necessary to limit the impact of a successful injection. 4. Monitor logs for unusual database queries or errors indicative of injection attempts. 5. If possible, isolate the Vehicle Management system within a segmented network zone to reduce lateral movement risk. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities in future releases.