CVE Alert: CVE-2025-9744 – Campcodes – Online Loan Management System

Risk verdict

High risk due to remote SQL injection on the login endpoint, with a publicly available exploit.

Why this matters

Exploitation could disclose or modify loan data and personal information, with potential financial impact and service disruption.

Most likely attack path

Unauthenticated access is possible; attacker targets /ajax.php?action=login, injecting via Username. Remote and low effort; data exfiltration is likely confined to the DB, with further movement depending on DB permissions and app trust boundaries.

Who is most exposed

Web-facing deployments of Campcodes Online Loan Management System 1.0, especially within small to mid-size lenders, and unpatched or poorly configured instances.

Detection ideas

• SQL error patterns in login logs
• Suspicious Username payloads (quotes, 1=1)
• Spike in login failures or unusual DB queries
• IDS/IPS alerts for SQLi on the login URL
• Anomalous data export events following login attempts

Mitigation and prioritisation

• Patch to fixed version or apply vendor fix
• Use parameterised queries and strict input validation
• WAF/IPS rules for login SQLi; monitor for SQLi signals
• Least-privilege DB accounts and rotate credentials
• Change-management: test in staging, then rapid deployment; escalate to priority 1 if KEV true or EPSS ≥0.5