CVE-2025-10851 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Gym Management System, specifically within the /ajax.php?action=login endpoint. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. Given that the exploit code has been publicly released, the risk of exploitation is heightened. The CVSS 4.0 base score of 6.9 classifies this as a medium severity vulnerability, reflecting its network attack vector, low attack complexity, and no required privileges or user interaction. The impact on confidentiality, integrity, and availability is rated as low individually but collectively significant enough to warrant attention. The vulnerability does not require authentication, increasing its risk profile, and the scope is limited to the affected version 1.0 of the product. No official patches have been released yet, and no known exploits in the wild have been reported, but the public availability of exploit code increases the likelihood of future attacks.

For European organizations using Campcodes Gym Management System 1.0, this vulnerability poses a tangible risk of unauthorized access to sensitive customer and operational data stored within the system's database. Given the nature of gym management systems, compromised data could include personal identification information, membership details, payment information, and health-related data, which are subject to GDPR regulations. Exploitation could lead to data breaches, reputational damage, regulatory penalties, and operational disruptions. Additionally, attackers could manipulate or delete records, impacting business continuity. Since the vulnerability is remotely exploitable without authentication, attackers could launch automated attacks at scale, increasing the risk for organizations that have exposed this system to the internet. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional vulnerabilities or misconfigurations. However, the presence of public exploit code elevates the urgency for mitigation.

Organizations should immediately assess their exposure to Campcodes Gym Management System version 1.0, especially instances accessible over public networks. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'Username' parameter on /ajax.php?action=login. 2) Restrict network access to the management system by placing it behind VPNs or internal firewalls to limit exposure. 3) Conduct input validation and sanitization at the application level if source code access is available, focusing on parameterized queries or prepared statements to prevent injection. 4) Monitor logs for unusual login attempts or SQL error messages indicative of injection attempts. 5) Plan for an urgent upgrade or patch deployment once the vendor releases a fix. 6) Consider isolating or decommissioning vulnerable instances if immediate patching is not feasible. 7) Educate staff about the risk and ensure incident response plans are updated to detect and respond to potential exploitation.