CVE Alert: CVE-2025-10851 - Campcodes - Gym Management System

CVE-2025-10851

HIGHNo exploitation known

A security flaw has been discovered in Campcodes Gym Management System 1.0. Impacted is an unknown function of the file /ajax.php?action=login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Gym Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-09-23T08:02:08.782Z

Updated

2025-09-23T08:02:08.782Z

References

https://vuldb.com/?id.325210

https://vuldb.com/?ctiid.325210

https://vuldb.com/?submit.657939

https://www.yuque.com/yuqueyonghuexlgkz/zepczx/esau5fkdf0upv8s6?singleDoc

https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High: unauthenticated remote SQL injection against the login endpoint with a publicly available exploit; treat as a priority for immediate remediation.

Why this matters

The flaw enables manipulation of the Username parameter in /ajax.php?action=login, potentially exposing or altering data without user interaction. For gym management operations, this could lead to credential exposure, partial data tampering, or service disruption, affecting member records and payments.

Most likely attack path

Attackers can reach the login endpoint from the Internet and perform crafted input to trigger SQL injection without credentials or UI prompts. With network-level access and low attack complexity, an authorised attacker could access or exfiltrate data within the vulnerable scope, with limited but real chances of credential bypass or lateral movement if backend access is gained.

Who is most exposed

Campaign deployments of Campcodes Gym Management System 1.0 that expose the login endpoint to the internet—whether on public clouds or on-premises—and that run older, unpatched instances are at highest risk.

Detection ideas

Unusual or malformed Username values in /ajax.php?action=login requests.
Database error messages or abnormal query failures in app/db logs.
spikes in failed login or authentication events from external sources.
WAF alerts for SQL injection patterns targeting the login path.
IOCs: public exploit payload indicators and related IOA/TTPS from advisories.

Mitigation and prioritisation

Apply vendor patch or upgrade to fixed release immediately.
Implement input validation and parameterised queries; disable detailed DB error messages.
Enforce least-privilege DB accounts and restrict login endpoint exposure with allowlists or WAF rules.
Monitor and block anomalous login requests; enable alerting on unusual query patterns.
Schedule a change-management window for testing and deployment; if KEV or EPSS signals become known, escalate to Priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-10851, gym-management-system, OSINT, threatintel