CVE-2025-4764
Published: 22 January 2026
Summary
CVE-2025-4764 is a high-severity SQL Injection (CWE-89) vulnerability in Aida Hotel Guest Hotspot. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-4764 is an improper neutralization of special elements used in an SQL command, classified as an SQL Injection vulnerability (CWE-89), affecting the Hotel Guest Hotspot software from Aida Computer Information Technology Inc. This issue impacts Hotel Guest Hotspot versions through 22012026.
The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited over an adjacent network with low attack complexity by an attacker possessing low privileges and requiring no user interaction. Successful exploitation enables high-impact violations of confidentiality, integrity, and availability, potentially allowing arbitrary SQL command execution.
A related advisory is published at https://www.usom.gov.tr/bildirim/tr-26-0001. The vendor was contacted early regarding this disclosure but provided no response, and no patches or specific mitigations are detailed in available information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4161
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about…
more
this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SQL injection vulnerability in application software enables exploitation of public/adjacent-facing apps per T1190, allowing arbitrary command execution with full CIA impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation and sanitization of user inputs before they are used in SQL commands.
Prevents SQL injection by restricting inputs to safe types, formats, and quantities that block malicious SQL payloads.
Addresses the specific SQL injection flaw through identification, reporting, and timely remediation via patches or mitigations.