CVE-2025-40617
📋 TL;DR
A critical SQL injection vulnerability in Bookgy allows attackers to manipulate database operations through unvalidated HTTP parameters. Attackers can execute arbitrary SQL commands to retrieve, modify, or delete sensitive data. All Bookgy installations using the vulnerable endpoint are affected.
💻 Affected Systems
- Bookgy
📦 What is this software?
Bookgy by Bookgy
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, and potential remote code execution through database functions.
Likely Case
Data exfiltration of sensitive information (user credentials, personal data, financial records) and unauthorized data manipulation.
If Mitigated
Limited impact if proper input validation and WAF rules are in place, though risk remains until patched.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. The CVSS 9.8 score indicates trivial exploitation with high impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-bookgy
Restart Required: Yes
Instructions:
1. Review vendor advisory for patch details. 2. Apply the official patch from Bookgy vendor. 3. Restart the Bookgy application/service. 4. Verify the fix is applied.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns in the vulnerable parameters
# WAF configuration depends on your specific WAF solution
# Example ModSecurity rule: SecRule ARGS "(?i:(union|select|insert|update|delete|drop|create).*?)" "id:1001,phase:2,deny"
Input Validation Filter
linuxImplement server-side input validation to sanitize IDTIPO, IDPISTA, and IDSOCIO parameters
# PHP example for parameter sanitization:
$id = filter_var($_GET['IDTIPO'], FILTER_VALIDATE_INT);
if ($id === false) { die('Invalid input'); }
🧯 If You Can't Patch
- Block access to /bkg_seleccionar_hora_ajax.php endpoint at network perimeter or application firewall
- Implement strict parameter validation and prepared statements in the vulnerable PHP file
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads in IDTIPO, IDPISTA, or IDSOCIO parameters (e.g., ' OR '1'='1)Check Version:
Check Bookgy version in application interface or configuration filesVerify Fix Applied:
Attempt SQL injection tests after patch; successful attacks should be blocked and return error messages📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple requests with SQL keywords in parameters
- Requests to /bkg_seleccionar_hora_ajax.php with suspicious parameter values
Network Indicators:
- HTTP requests containing SQL injection patterns in URL parameters
- Unusual database query patterns from application server
SIEM Query:
source="*bookgy*" AND (url="*bkg_seleccionar_hora_ajax.php*" AND (param="*union*" OR param="*select*" OR param="*insert*" OR param="*update*" OR param="*delete*"))