CVE-2025-9842 is a medium-severity information disclosure vulnerability identified in version 6.2.0 of the Das Parking Management System (停车场管理系统). The vulnerability resides in an unspecified function within the /Operator/Search endpoint of the system. An attacker can remotely exploit this flaw without requiring authentication or user interaction, leveraging the low attack complexity to gain unauthorized access to sensitive information. The vulnerability does not impact system integrity or availability but compromises confidentiality by exposing potentially sensitive data managed by the parking system. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) indicates network attack vector, no privileges or user interaction needed, and low impact on confidentiality. Although the exact nature of the disclosed information is unspecified, parking management systems typically handle vehicle, user, and transaction data, which could include personally identifiable information (PII) or operational details. The exploit code is publicly available, increasing the risk of exploitation, although no active exploitation in the wild has been reported to date. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation measures.

For European organizations utilizing the Das Parking Management System 6.2.0, this vulnerability poses a risk of unauthorized disclosure of sensitive operational and personal data. Such information leakage could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. In environments where parking systems integrate with broader facility management or security infrastructure, leaked information could facilitate further targeted attacks or social engineering. The exposure of user or vehicle data could also undermine trust in service providers. While the vulnerability does not directly enable system takeover or service disruption, the confidentiality breach alone is significant given the sensitivity of data handled. Organizations relying on this system in Europe must consider the implications for compliance and customer trust, especially in sectors like transportation, municipal services, and commercial real estate where parking management is critical.

1. Immediate mitigation should include restricting network access to the /Operator/Search endpoint through firewall rules or network segmentation, limiting exposure to trusted internal networks only. 2. Implement strict access controls and monitoring on the parking management system to detect unusual query patterns or data access indicative of exploitation attempts. 3. If possible, disable or restrict the vulnerable functionality until a vendor patch is released. 4. Conduct thorough audits of logs and data access to identify any prior unauthorized disclosures. 5. Engage with the vendor Das to obtain timelines for patches or workarounds and apply updates promptly once available. 6. Consider deploying web application firewalls (WAFs) with custom rules to detect and block exploit attempts targeting the /Operator/Search endpoint. 7. Educate operational staff about the vulnerability and the importance of monitoring and reporting anomalies. 8. Review and enhance data encryption and anonymization practices within the parking system to minimize the impact of any potential data leakage.