CVE Alert: CVE-2025-9678 - Campcodes - Online Loan Management System

CVE-2025-9678

HIGHNo exploitation known

A weakness has been identified in Campcodes Online Loan Management System 1.0. The impacted element is an unknown function of the file /ajax.php?action=delete_borrower. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

CVSS v3.1 (7.3)

Vendor

Campcodes

Product

Online Loan Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-08-29T21:32:07.312Z

Updated

2025-08-29T21:32:07.312Z

References

https://vuldb.com/?id.321890
https://vuldb.com/?ctiid.321890
https://vuldb.com/?submit.638489
https://github.com/1276486/CVE/issues/3
https://www.campcodes.com/

AI Summary Analysis

Risk verdict

High risk: a publicly disclosed, remotely exploitable SQL injection in Campcodes Online Loan Management System allows unauthenticated access to the database; requires immediate attention.

Why this matters

Data confidentiality and integrity are at stake, with potential for borrower data exposure, record manipulation, and service disruption. The public exploit increases scan and opportunistic attack likelihood, especially for small lenders running exposed deployments.

Most likely attack path

An attacker can exercise the vulnerability over the network via the AJAX endpoint without authentication or user interaction, using crafted input to manipulate SQL queries. The impact spans confidentiality, integrity and availability, meaning potential data exfiltration or tampering with borrower records; limited lateral movement is possible if the app uses shared DB credentials for other services.

Who is most exposed

Any organisation running Campcodes Online Loan Management System 1.0 on internet-facing infrastructure, common in SMB lending or microfinance setups, is at risk.

Detection ideas

Logs show payloads targeting /ajax.php?action=delete_borrower with anomalous IDs or SQL syntax.
Web/app server or DB errors surface indicative of SQL injection (verbose messages).
Unusual spikes in unauthenticated requests to the AJAX endpoint.
IDS/WAF alerts for SQLi patterns (e.g., tautologies, UNION/OR-based payloads).
Sudden changes to borrower data or unexpected readouts from the database.

Mitigation and prioritisation

Patch to the latest fixed release or apply vendor-sanctioned fixes; if unavailable, implement parameterised queries/prepared statements and strict input validation on the ID parameter.
Require authentication and authorisation on the AJAX endpoint; disable verbose error reporting and implement CSRF protections where applicable.
Apply least-privilege DB accounts and restrict network access to the application tier; deploy/refresh WAF rules to block SQLi signatures; monitor and alert on the affected endpoint.
Change-management: test fixes in staging, back up data, and schedule a rapid production roll-out; verify that no regressions occur in loan-management workflows. If KEV or EPSS indicators are known to be high, treat as priority 1.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: campcodes, CVE, cve-2025-9678, online-loan-management-system, OSINT, threatintel