CVE Alert: CVE-2025-10808 – Campcodes – Farm Management System
CVE-2025-10808
A weakness has been identified in Campcodes Farm Management System 1.0. Impacted is an unknown function of the file /uploadProduct.php. This manipulation of the argument Type causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated SQL injection via the uploadProduct.php endpoint, with a publicly available exploit.
Why this matters
Allows data disclosure or modification without credentials, potentially exfiltrating sensitive information or disrupting operations. In a farm management context, this can affect inventory, crop data, orders and reporting, with downstream business and regulatory impact.
Most likely attack path
An attacker can trigger the vulnerability over the network by sending a crafted request to uploadProduct.php using the Type parameter, with no user interaction or credentials required. The impact depends on the database privileges of the application account; data read/alteration is plausible, and independent lateral movement hinges on how broadly the app’s DB user is trusted and mapped to underlying systems.
Who is most exposed
Web-facing deployments of the system, common in SMB farming ops, whether on-prem or cloud-hosted, are at greatest risk. Off-network or poorly segmented environments increase exposure for data stores used by the application.
Detection ideas
- SQL error messages or DB error codes in app logs after requests to uploadProduct.php with suspicious Type values
- Anomalous or SQLi-like query patterns in application or DB logs
- Surge in requests to uploadProduct.php with unusual or encoded Type payloads
- WAF/IDS alerts targeting SQLi patterns on this endpoint
- Unexpected modifications to product-related data in the DB
Mitigation and prioritisation
- Apply the vendor patch or upgrade to fixed version; verify in staging prior to production.
- Enforce input validation and use parameterised queries for all user inputs; restrict Type handling.
- Restrict DB privileges for the application account to least privilege; separate duties where possible.
- Deploy targeted WAF rules to block SQLi attempts on the endpoint; enable detailed logging.
- Change-management: schedule patching window, test end-to-end, and document rollback plan; monitor for follow-on indicators. If KEV or EPSS indicators appear, raise to priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
