How to fix CVE-2025-6118?

Within 24 hours: Isolate affected Das Parking systems from production networks or implement strict network access controls limiting API endpoints to trusted sources only. Within 7 days: Deploy WAF rules to block malicious SQL injection payloads in vehicleTypeCode parameters and conduct database audit for unauthorized access. Within 30 days: Evaluate migration to alternative parking management solutions or obtain vendor patch when released; implement comprehensive input validation and parameterized queries if in-house modifications are feasible.

Is Parking Management System affected by CVE-2025-6118?

A critical SQL injection vulnerability in Das Parking Management System 6.2.0 allows unauthenticated remote attackers to compromise database integrity and extract sensitive parking/vehicle data.

CVE-2025-6118

EUVD-2025-18384 HIGH

2025-06-16 [email protected]

SQLi Parking Management System

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18384

CVE Published

Jun 16, 2025 - 11:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability was found in Das Parking Management System 停车场管理系统 6.2.0. It has been rated as critical. This issue affects some unknown processing of the file /vehicle/search of the component API. The manipulation of the argument vehicleTypeCode leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Das Parking Management System versions up to 6.2.0 contain a critical SQL injection vulnerability in the /vehicle/search API endpoint, specifically in the vehicleTypeCode parameter, allowing unauthenticated remote attackers to execute arbitrary SQL queries and potentially extract, modify, or delete database contents. The vulnerability has been publicly disclosed with proof-of-concept code available, and active exploitation is possible given the CVSS 7.3 score and low attack complexity.

Technical ContextAI

The vulnerability exists in a Java/web-based parking management application (Das Parking Management System) where the /vehicle/search API endpoint fails to properly sanitize user-supplied input in the vehicleTypeCode parameter before incorporating it into SQL queries. This represents a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') vulnerability, specifically SQL injection. The API endpoint processes HTTP requests without input validation or parameterized query preparation, allowing attackers to break out of the intended SQL context and inject arbitrary SQL syntax. The component handles vehicle database queries, making database access controls the only remaining security boundary.

RemediationAI

Primary: Upgrade Das Parking Management System to a patched version beyond 6.2.0 (vendor must provide patched release). Interim mitigations if upgrade is delayed: (1) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in vehicleTypeCode parameter (detect common SQL keywords: UNION, SELECT, DROP, etc.), (2) Place the /vehicle/search endpoint behind authentication and network access controls to limit exposure, (3) Implement input validation: whitelist acceptable vehicleTypeCode values (e.g., alphanumeric only, specific enumerated codes), (4) Use database user accounts with minimal privileges (read-only if possible) to limit impact of successful SQL injection, (5) Enable SQL query logging to detect attack attempts. No vendor patch version information is publicly available; request from Das support.

CVE-2025-6118 vulnerability details – vuln.today

Back