CVE-2025-9645 is a SQL Injection vulnerability identified in itsourcecode Apartment Management System version 1.0. The vulnerability exists in the file /t_dashboard/r_all_info.php, specifically through the manipulation of the 'mid' parameter. This parameter is not properly sanitized, allowing an attacker to inject malicious SQL code. The vulnerability can be exploited remotely without requiring authentication or user interaction, making it accessible to any attacker with network access to the affected system. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the potential for partial compromise of confidentiality, integrity, and availability. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the database to a limited extent (VC:L, VI:L, VA:L). The scope is unchanged (S:U), and the exploit code is publicly available, increasing the risk of exploitation. Although no known exploits in the wild have been reported yet, the presence of public exploit code means that opportunistic attackers could leverage this vulnerability to extract sensitive data, modify database contents, or disrupt service availability. Given that apartment management systems typically handle tenant information, payment records, and property management data, exploitation could lead to unauthorized data disclosure, data tampering, or denial of service conditions.

For European organizations using the itsourcecode Apartment Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of tenant and property management data. Unauthorized access to tenant personal information, payment details, or lease agreements could lead to privacy violations under GDPR regulations, resulting in legal and financial penalties. Data tampering could disrupt billing processes or property management operations, causing operational and reputational damage. Availability impacts, while limited, could affect tenant services and administrative functions. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially in multi-tenant or cloud-hosted deployments common in Europe. Organizations in Europe must consider the regulatory implications of data breaches and the potential for targeted attacks on property management infrastructure, which is critical for housing and real estate sectors.

1. Immediate application of patches or updates from the vendor once available is critical. Since no patch links are currently provided, organizations should contact itsourcecode for official remediation. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'mid' parameter in /t_dashboard/r_all_info.php. 3. Conduct input validation and sanitization on all user-supplied parameters, particularly 'mid', to prevent injection of malicious SQL code. 4. Employ parameterized queries or prepared statements in the application code to eliminate direct concatenation of user input into SQL commands. 5. Restrict network access to the management system to trusted IP addresses or VPNs to reduce exposure to remote attackers. 6. Monitor logs for unusual database queries or repeated access attempts to the vulnerable endpoint. 7. Perform regular security assessments and code reviews focusing on injection vulnerabilities. 8. Educate development and operations teams about secure coding practices and the risks of SQL injection.