CVE-2025-10445 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Computer Sales and Inventory System, specifically within the /pages/us_transac.php file when the action parameter is set to 'add'. The vulnerability arises due to improper sanitization or validation of the 'Username' argument, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The CVSS 4.0 base score of 6.9 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently observed in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The vulnerability does not require authentication or user interaction, making it accessible to remote attackers scanning for vulnerable instances. The lack of available patches or mitigations from the vendor at this time further elevates the risk for affected deployments.

For European organizations using Campcodes Computer Sales and Inventory System 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of sensitive sales and inventory data. Exploitation could lead to unauthorized disclosure of customer and transaction records, manipulation of inventory data causing operational disruptions, and potential financial losses. Given that the system likely interfaces with critical business processes such as sales tracking, inventory management, and possibly financial reporting, a successful attack could disrupt supply chains and customer relations. Additionally, compromised data could lead to regulatory non-compliance under GDPR, resulting in legal penalties and reputational damage. The remote and unauthenticated nature of the vulnerability increases the likelihood of automated scanning and exploitation attempts, especially as exploit code is publicly available. Organizations relying on this system without adequate compensating controls are at elevated risk.

Immediate mitigation should focus on restricting external access to the vulnerable endpoint, such as implementing network-level controls (firewalls, VPNs) to limit exposure. Web application firewalls (WAFs) should be configured with rules to detect and block SQL injection patterns targeting the 'Username' parameter in the /pages/us_transac.php?action=add request. Input validation and sanitization should be implemented or enhanced on the server side to properly handle and escape user-supplied input. Organizations should monitor logs for suspicious activity related to this endpoint and conduct regular vulnerability scans to detect exploitation attempts. Since no official patch is currently available, consider isolating or replacing the vulnerable system with updated or alternative solutions. Additionally, applying the principle of least privilege to database accounts used by the application can limit the impact of a successful injection. Finally, organizations should prepare incident response plans specific to SQL injection attacks and ensure backups of critical data are current and secure.