CVE Alert: CVE-2025-9759 – Campcodes – Courier Management System

**Risk verdict**: High risk due to a publicly released PoC for a remote SQL injection in the signup endpoint, enabling unauthenticated access without user interaction.

**Why this matters**: An attacker can manipulate user input to read or alter data within the application’s database, potentially leaking customer or order information or corrupting records. Because the flaw lies in a publicly reachable function, any internet-facing deployment running the affected version is at elevated risk of automated exploitation.

**Most likely attack path**: An attacker scans the internet for the signup endpoint, submits crafted payloads to the lastname parameter, and leverages SQL injection to bypass controls. With no authentication required and network-facing access, successful exploitation can lead to data exposure or modification within the application’s database; lateral movement is limited by the Unchanged scope, but a compromised web server could enable further internal access if database credentials are misused.

**Who is most exposed**: Organisations hosting the affected Courier Management System on publicly accessible web servers, particularly small to medium deployments on common LAMP/akin stacks, are at greatest risk.

**Detection ideas**:

• Look for SQL error messages or abnormal DB-side errors in HTTP responses or logs from /ajax.php.
• Detect payload patterns typical of SQL injection (e.g., UNION SELECT, tautological comparisons, or unusual comment sequences) in signup requests.
• Monitor WAF/IDS alerts for SQLi indicators targeting the signup endpoint.
• Anomalous signup traffic: spikes, repeated attempts from diverse IPs, or atypical parameter values.
• Review application logs for failed or suspicious database queries tied to lastname input.

**Mitigation and prioritisation**:

• Apply vendor patch or upgrade to fixed version where available; if not feasible, implement compensating controls immediately.
• Implement parameterised queries/prepared statements and input validation for all signup fields; avoid dynamic SQL.
• Disable verbose error messages and reduce information leakage in production responses; harden error handling.
• Deploy web application firewall rules to block common SQL injection payloads on the signup endpoint; tighten network access to the admin interface and signup page.
• Schedule rapid patching within the next maintenance window; verify with test harness and monitor post-deployment. If KEV or EPSS indicators surface, escalate to priority 1.