CVE-2025-9843 is a medium-severity information disclosure vulnerability identified in version 6.2.0 of the Das Parking Management System (停车场管理系统). The flaw exists in an unspecified function within the /Operator/FindAll endpoint. This vulnerability allows an unauthenticated remote attacker to manipulate the system and gain unauthorized access to sensitive information. The vulnerability does not require any user interaction or authentication, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 base score is 6.9, reflecting a moderate impact primarily on confidentiality, with no direct impact on integrity or availability. The exploit code has been published, increasing the risk of exploitation, although no confirmed in-the-wild attacks have been reported yet. The vulnerability stems from improper access control or insufficient validation in the affected endpoint, which could expose sensitive operational or user data managed by the parking system. Given the nature of parking management systems, the leaked information could include user identities, vehicle details, parking session data, or administrative information, which could be leveraged for further attacks or privacy violations.

For European organizations using the Das Parking Management System 6.2.0, this vulnerability poses a significant risk to the confidentiality of sensitive data related to parking operations and users. Exposure of such information could lead to privacy breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Additionally, attackers could use the disclosed information to facilitate targeted attacks such as social engineering, physical security breaches, or fraud. Since parking management systems often integrate with broader facility management or security infrastructure, the information disclosure could serve as a stepping stone for lateral movement within enterprise networks. The risk is heightened in environments with high volumes of personal data or critical infrastructure integration, common in European smart city deployments and large commercial or municipal parking facilities.

To mitigate this vulnerability, organizations should prioritize upgrading to a patched version of the Das Parking Management System once available. In the absence of an official patch, immediate mitigations include restricting external network access to the /Operator/FindAll endpoint via firewall rules or network segmentation to limit exposure. Implementing Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting this endpoint can reduce exploitation risk. Monitoring and logging access to the affected endpoint should be enhanced to detect anomalous activity promptly. Additionally, organizations should conduct thorough audits of the data accessible through this endpoint to understand the scope of potential exposure and apply data minimization principles where possible. Finally, reviewing and strengthening authentication and authorization controls around administrative interfaces can help prevent unauthorized access through other vectors.