CVE Alert: CVE-2025-10030 – Campcodes – Grocery Sales and Inventory System

Risk verdict

High risk of remote SQL injection with publicly available exploit and no authentication required; patching should be prioritised.

Why this matters

Public exploitation increases likelihood of automated scanning and mass attempts, risking data exposure, record tampering, and inventory disruption. In practice, attacker access could enable leakage or modification of records tied to receiving workflows, potentially impacting financial accuracy and stock control.

Most likely attack path

Attacker can exploit via a network-based request to the vulnerable endpoint without credentials or user interaction. The injection targets the database through crafted input (ID parameter), enabling read/write effects with low per-metric impact but possible escalation if DB privileges are misconfigured; remains in scope of the web app and could seed further access.

Who is most exposed

Deployments with web-facing endpoints and the described AJAX path, common in small-to-mid sized on-prem or hosted retail/ERP setups, are at greatest risk; exposure increases where input sanitisation and DB access controls are weak.

Detection ideas

• Logs show repeated requests to action=save_receiving with anomalous ID values
• SQL error messages or database error codes in application or web server logs
• Unusual spikes in DB query latency or volume around the endpoint
• IDS/IPS alerts matching SQLi patterns targeting the endpoint
• Unauthorised data access or modification attempts in receiving-related tables

Mitigation and prioritisation

• Apply vendor patch or upgrade to fixed version immediately
• Implement strong input validation and use parameterised queries/prepared statements
• Enforce least-privilege DB access for the web app user; disable unnecessary rights
• Deploy WAF/RApID rules to block SQL injection patterns on the endpoint
• Add monitoring and alerting for anomalous ID values and failed DB queries; schedule patch in the next maintenance window
• If the system must remain internet-facing, implement IP allowlisting and tightened network controls

Note: KEV presence, SSVC exploitation state, and EPSS score are not provided; uncertainty remains regarding official prioritisation beyond the explicit public exploit.