CVE-2025-10857 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Point of Sale (POS) System, specifically in the /login.php file. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, allowing an attacker to manipulate the SQL query executed by the backend database. This flaw enables remote attackers to inject arbitrary SQL commands without requiring authentication or user interaction, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges or user interaction needed (PR:N, UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no exploits have been observed in the wild yet, the exploit code has been publicly released, increasing the risk of exploitation. The lack of available patches or mitigations from the vendor further elevates the threat. This vulnerability is critical for POS systems as it could allow attackers to bypass authentication, extract sensitive customer and payment data, or manipulate transaction records, potentially leading to financial fraud and reputational damage.

For European organizations using Campcodes POS 1.0, this vulnerability poses significant risks. POS systems handle sensitive payment card data and customer information, so exploitation could lead to data breaches involving personally identifiable information (PII) and payment card data, triggering GDPR compliance issues and heavy fines. Unauthorized access or manipulation of transaction data could result in financial losses, fraud, and erosion of customer trust. Retailers, hospitality businesses, and any sectors relying on Campcodes POS are at risk of operational disruption if attackers leverage this flaw to compromise system integrity or availability. Additionally, the public availability of exploit code increases the likelihood of opportunistic attacks, especially targeting smaller businesses with limited cybersecurity resources. The medium severity rating suggests that while the vulnerability is serious, it may require some technical skill to exploit effectively, but the lack of authentication and user interaction requirements lowers the barrier for attackers.

European organizations should immediately assess their use of Campcodes POS 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations should implement web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the /login.php endpoint, specifically filtering suspicious payloads in the Username parameter. Network segmentation should isolate POS systems from broader corporate networks to limit lateral movement if compromised. Regular monitoring of logs for unusual login attempts or database errors can help detect exploitation attempts early. Employing database-level protections such as least privilege access for the POS application and parameterized queries or stored procedures (if modifiable) can reduce injection risks. Organizations should also conduct penetration testing focused on SQL injection vectors and train staff on incident response procedures for POS-related breaches. Finally, engaging with the vendor for timely updates and vulnerability disclosures is critical.