CVE Alert: CVE-2025-10857 – Campcodes – Point of Sale System POS
CVE-2025-10857
A security flaw has been discovered in Campcodes Point of Sale System POS 1.0. Affected by this issue is some unknown functionality of the file /login.php. Performing manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated SQL injection in login.php with publicly available exploit; urgency depend on KEV/EPSS indicators, but exploitation is feasible now.
Why this matters
Compromise can expose or modify transactional data, customer records, and payment details, undermining integrity and availability of the POS. A successful attacker could exfiltrate data, tamper orders, or disrupt sales operations across affected sites.
Most likely attack path
No user interaction required (UI: N) over the network; attacker need only supply crafted Username data to trigger the injection (PR: N, AC: L). With Scope unchanged, impact remains on the same system’s confidentiality, integrity, and availability. Public PoC and advisories raise the likelihood of automated scans or exploit attempts targeting exposed POS terminals.
Who is most exposed
Retail environments deploying Campcodes Point of Sale System POS v1.0 with PHP/MySQL stacks, especially where POS terminals are networked or Internet-accessible or improperly segmented from payment processing backends.
Detection ideas
- Web logs show SQL error messages or anomalies from login.php requests.
- Requests containing unusual quotes, comments, or UNION-based payloads in Username fields.
- Spike in failed login attempts or anomalous data-return patterns from the auth endpoint.
- WAF alerts matching SQLi signatures on login.php.
- DMV or DB audit trails showing abnormal data access around user authentication.
Mitigation and prioritisation
- Apply vendor patch or upgrade to a fixed release; verify applicability to POS v1.0.
- Enforce parameterised queries and strict input validation in login.php; review ORM/DB access layers.
- Implement least-privilege DB accounts and disable unnecessary data exposure in authentication paths.
- Deploy network segmentation and restrict external access to the POS backend; consider VPN/WLS proxy for remote access.
- If KEV true or EPSS ≥ 0.5, treat as priority 1; otherwise treat as high-priority with a rapid remediation window.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
