CVE Alert: CVE-2025-10417 – Campcodes – Grocery Sales and Inventory System

Risk verdict

High risk: remote SQL injection on a web endpoint that requires no authentication, with a public exploit released. Note: KEV/EPSS indicators are not provided, so escalation to top priority should be based on organisational exposure and patch availability.

Why this matters

The affected system handles sales and inventory data; exploitation could lead to data disclosure, modification, or tampering of transactional records. With network-level access and no user interaction required, any internet-facing instance is a viable target and could enable broader data compromise.

Most likely attack path

Attack preconditions are minimal: an attacker can directly query the vulnerable endpoint over the network and manipulate the ID parameter to trigger SQL injection. Privileges are not required, and no user interaction is needed, increasing the chance of successful data exfiltration or integrity impact. If the application DB user has broad rights, impact expands to potential lateral data access.

Who is most exposed

Retail environments running this system (1.0) that expose the web interface publicly or to VPNs/third-party hosting are at greatest risk. Small-to-medium stores often deploy such systems on internet-facing servers or shared hosting, increasing exposure.

Detection ideas

• Repeated, malformed requests to /ajax.php?action=delete_product with unusual ID values
• SQL error messages or database-agnostic error codes in app logs
• Anomalous data access patterns or unexpected data returned by queries
• Elevated error rates on the affected endpoint
• WAF or IDS alerts for injection signatures targeting this endpoint

Mitigation and prioritisation

• Apply vendor patch or hotfix to the affected build immediately; verify patch in staging before production.
• Implement parameterised queries and prepared statements; enforce input validation on ID.
• Disable or restrict access to the vulnerable endpoint if feasible; apply least-privilege DB credentials.
• Enable robust logging and real-time alerting for anomalous DB errors and data access.
• Change-management: schedule urgent patch window; communicate risk and rollback plan to stakeholders. If a KEV/EPSS indicator becomes available indicating active exploitation, escalate to priority 1.