CVE Alert: CVE-2025-10446 – Campcodes – Computer Sales and Inventory System
CVE-2025-10446
A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. The affected element is an unknown function of the file /pages/cust_searchfrm.php?action=edit. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
AI Summary Analysis
Risk verdict
High risk with publicly disclosed exploit and PoC, enabling remote, unauthenticated SQL injection via cust_searchfrm.php?action=edit.
Why this matters
Attorney-grade data exposure and potential modification of inventory records can disrupt operations and erode customer trust. Attackers could exfiltrate or alter data, or use the foothold to stage further moves within the affected environment, particularly where the application shares DB credentials or hosts administrative interfaces.
Most likely attack path
Remote attacker can trigger the vulnerability over the network without authentication, by supplying malicious input in the ID parameter. The low UI interaction requirement and lack of privileges means easy initial access, though impact is constrained to the database and the application layer; without strong segmentation, there is a non-trivial risk of broader data exposure or mild lateral movement if DB access is misconfigured.
Who is most exposed
Commonly deployed in small to mid-market on-premise setups with internet-facing web interfaces for inventory systems; public exposure increases risk when input validation and DB access controls are weak.
Detection ideas
- Web logs show requests to cust_searchfrm.php?action=edit with suspicious ID values.
- Database logs or ORM traces indicate injected SQL segments from the vulnerable endpoint.
- Increased SQL error events or abnormal query patterns on the affected page.
- WAF alerts for typical SQLi payloads targeting ID parameters.
- Anomalous spikes in data-access activity from the inventory system.
Mitigation and prioritisation
- Apply vendor patch or upgrade to patched version ASAP; if unavailable, implement a temporary workaround.
- Enforce parameterised queries and prepared statements for all inputs in cust_searchfrm.php.
- Validate and sanitize the ID parameter; implement input allow-lists where feasible.
- Harden the web app with WAF rules blocking common SQLi patterns; monitor the affected endpoint.
- Restrict DB account privileges used by the application; enforce least privilege.
- Schedule testing and deployment in a controlled change window; verify logs post-patch.
- Treat as priority 1 only if KEV/EPSS indicate; otherwise, classify as high priority given public exploit and high CVSS.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
