CVE Alert: CVE-2025-12208 – SourceCodester – Best House Rental Management System
CVE-2025-12208
A vulnerability was found in SourceCodester Best House Rental Management System 1.0. This impacts the function login2 of the file /admin_class.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
AI Summary Analysis
Risk verdict
High risk: a remotely exploitable SQL injection with a publicly available exploit could enable unauthenticated administrative access and data exposure; data about KEV/EPSS/SSVC exploitation state is not provided to confirm a 1-type priority.
Why this matters
If an attacker can manipulate the login input, they may read, modify or exfiltrate data and potentially take control of the application server. The impact may scale to additional records or services within the affected deployment, with regulatory and reputational consequences for organisations hosting customer or financial information.
Most likely attack path
Attacker can exploit over the network without user interaction, by injecting into the Username parameter to trigger SQL injection. With successful access, they could enumerate or alter database content, potentially escalate to higher-privileged actions on the web layer and pivot to adjacent services if network access is insufficiently restricted.
Who is most exposed
Internet-facing installations of web-based management systems on common hosting stacks are most at risk, especially where input handling, error messages, or database permissions are lax and a WAF is not in place.
Detection ideas
- Unexpected database errors or stack traces in application logs
- Anomalous or crafted Username inputs in login requests
- Repeated failed login attempts with unusual payloads
- WAF/SIEM alerts matching SQLi signatures on login endpoints
- Unusual spikes in database query activity around authentication
Mitigation and prioritisation
- Patch or upgrade to fixed version; if unavailable, implement strong input handling, prepared statements/ORM, and disable verbose errors.
- Deploy or tune a web application firewall to block SQLi patterns on login endpoints; enable rate limiting.
- Enforce least privilege on the application DB user; restrict admin interfaces to VPN or jump hosts; segment network access.
- Change-management: test fixes in a staging environment before rollout; monitor for post-deployment anomalies.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. If not, assign high-priority remediation with rapid follow-up.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
