CVE-2025-9425 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The flaw exists in the /enquiry.php file, specifically through manipulation of the 'pid' parameter. This vulnerability allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries. The injection can lead to unauthorized data access, data modification, or potentially full compromise of the database server depending on the database permissions and configuration. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network accessible, no privileges or user interaction required) but limited impact on confidentiality, integrity, and availability (low to limited impact). No patches or mitigations have been officially released yet, and while no known exploits are currently observed in the wild, a public exploit has been released, increasing the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche online tour and travel management system, likely used by small to medium-sized travel agencies or tour operators to manage bookings and enquiries.

For European organizations, this vulnerability poses a risk primarily to small and medium-sized enterprises (SMEs) in the travel and tourism sector using the affected software. Exploitation could lead to unauthorized access to customer data, including personal identifiable information (PII) and booking details, potentially violating GDPR requirements and resulting in regulatory penalties. Data integrity could be compromised, leading to manipulated bookings or financial fraud. Availability impact is limited but could disrupt business operations if the database is corrupted or taken offline. The remote and unauthenticated nature of the vulnerability increases the risk of automated attacks, especially since a public exploit is available. This could lead to data breaches, reputational damage, and financial losses. Given the tourism sector's importance in Europe and the sensitivity of customer data handled, the vulnerability represents a tangible threat to affected organizations.

Organizations using itsourcecode Online Tour and Travel Management System version 1.0 should immediately audit their exposure to the /enquiry.php endpoint and the 'pid' parameter. Specific mitigations include: 1) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'pid' parameter. 2) Applying input validation and parameterized queries or prepared statements in the application code to prevent injection if source code access is available. 3) Restricting database user permissions to the minimum necessary to limit damage from injection attacks. 4) Monitoring logs for suspicious query patterns or unusual database activity. 5) Isolating the affected system from public internet access where feasible or restricting access via VPN or IP whitelisting. 6) Contacting the vendor for patches or updates and planning an upgrade path away from version 1.0. 7) Conducting regular security assessments and penetration testing focused on injection vulnerabilities. These steps go beyond generic advice by focusing on the specific vulnerable parameter and practical compensating controls until a patch is available.