CVE-2025-9425 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The flaw exists in the /enquiry.php file, specifically in the handling of the 'pid' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which is then executed by the backend database. This vulnerability is remotely exploitable without requiring any authentication or user interaction, making it particularly dangerous. The injection can lead to unauthorized data access, data modification, or even complete compromise of the underlying database. The CVSS 4.0 score of 6.9 reflects a medium severity level, considering the attack vector is network-based with low attack complexity and no privileges or user interaction needed. However, the impact on confidentiality, integrity, and availability is rated as low individually, which moderates the overall severity. No official patches or fixes have been released yet, and while no known exploits are currently observed in the wild, the public availability of an exploit increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche web-based application used primarily in the travel and tourism sector to manage bookings and enquiries.

For European organizations using the itsourcecode Online Tour and Travel Management System, this vulnerability poses a significant risk to the confidentiality and integrity of customer data and business records. Exploitation could lead to unauthorized disclosure of sensitive customer information, such as personal details and travel plans, potentially violating GDPR and other data protection regulations. Additionally, attackers could manipulate or delete booking data, disrupting business operations and damaging customer trust. Given the remote and unauthenticated nature of the exploit, attackers could automate attacks at scale, targeting multiple organizations simultaneously. The tourism sector is vital for many European economies, and disruptions or data breaches could have broader economic and reputational consequences. Furthermore, compromised systems could be leveraged as footholds for further attacks within organizational networks.

Organizations should immediately audit their use of the itsourcecode Online Tour and Travel Management System version 1.0 and identify any exposed instances of the /enquiry.php endpoint. As no official patches are currently available, it is critical to implement compensating controls such as web application firewalls (WAFs) configured to detect and block SQL injection attempts targeting the 'pid' parameter. Input validation and parameterized queries should be enforced if organizations have access to the source code or can implement custom fixes. Network segmentation and strict access controls can limit exposure. Monitoring and logging of database queries and web requests should be enhanced to detect suspicious activity promptly. Organizations should also plan to upgrade to a patched version once available or consider migrating to alternative solutions with better security postures. Regular security assessments and penetration testing focused on injection flaws are recommended to prevent similar vulnerabilities.