CVE-2025-10436 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Computer Sales and Inventory System. The vulnerability exists in an unspecified function within the file /pages/sup_searchfrm.php when accessed with the action parameter set to 'edit'. Specifically, the manipulation of the 'ID' argument allows an attacker to inject malicious SQL code. This injection flaw enables remote exploitation without requiring any authentication or user interaction, as indicated by the CVSS vector. The vulnerability affects the confidentiality, integrity, and availability of the underlying database, as attackers can potentially extract sensitive data, modify records, or disrupt database operations. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of remote exploitation (attack vector: network), no privileges required, and no user interaction needed, but with limited impact on confidentiality, integrity, and availability (low to limited impact). Although no public exploit is currently known to be in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The lack of available patches or mitigation from the vendor further elevates the threat. The vulnerability is critical for organizations relying on Campcodes Computer Sales and Inventory System 1.0, as it could lead to unauthorized data access or manipulation, potentially impacting business operations and customer data privacy.

For European organizations using Campcodes Computer Sales and Inventory System 1.0, this SQL Injection vulnerability poses significant risks. The system likely manages critical sales and inventory data, including customer information, product details, and transaction records. Exploitation could lead to unauthorized disclosure of sensitive business and customer data, violating GDPR requirements and resulting in regulatory penalties. Data integrity could be compromised, causing inaccurate inventory or sales records, which can disrupt supply chain management and financial reporting. Availability impacts could arise if attackers execute destructive SQL commands, leading to system downtime and operational disruption. Given the remote and unauthenticated nature of the exploit, attackers can launch attacks from anywhere, increasing the threat surface. European organizations in retail, wholesale, or IT asset management sectors using this software are particularly vulnerable. The medium severity rating suggests that while the impact is not catastrophic, the ease of exploitation and potential for data breaches make it a serious concern, especially in regulated environments.

1. Immediate mitigation should include restricting access to the vulnerable endpoint (/pages/sup_searchfrm.php?action=edit) via network controls such as web application firewalls (WAFs) or IP whitelisting to limit exposure. 2. Implement input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. If source code modification is not feasible immediately, apply virtual patching through WAF rules that detect and block SQL injection patterns targeting the 'ID' parameter. 3. Conduct a thorough security audit of the Campcodes system to identify and remediate other potential injection points. 4. Monitor logs for suspicious activity related to the vulnerable endpoint, including anomalous query strings or repeated access attempts. 5. Engage with the vendor for official patches or updates; if none are available, consider migrating to alternative inventory management solutions with better security posture. 6. Educate IT and security teams on the risks of SQL injection and ensure incident response plans are updated to handle potential exploitation scenarios. 7. Regularly back up databases and verify backup integrity to enable recovery in case of data tampering or loss.