CVE-2025-13424 identifies a SQL injection vulnerability in Campcodes Supplier Management System version 1.0, located in the /admin/add_product.php script. The vulnerability arises from improper sanitization of the txtProductName parameter, which is susceptible to SQL injection attacks. An attacker with high-level privileges and authenticated access can remotely exploit this flaw by injecting crafted SQL statements through the vulnerable parameter. This can lead to unauthorized data access, modification, or deletion within the backend database, impacting the confidentiality, integrity, and availability of supplier and product data. The vulnerability does not require user interaction but does require authentication with elevated privileges, limiting the attack surface. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and no privileges required (PR:H), with partial impacts on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation. The lack of available patches necessitates immediate mitigation efforts by affected organizations. This vulnerability is critical for organizations relying on Campcodes Supplier Management System for managing supplier data, as exploitation could disrupt supply chain operations or lead to data breaches.

For European organizations, exploitation of this vulnerability could result in unauthorized access to sensitive supplier and product information, potentially leading to data breaches, manipulation of procurement data, and disruption of supply chain operations. The integrity of supplier records could be compromised, causing financial losses or reputational damage. Availability impacts could arise if attackers delete or corrupt database entries, interrupting business processes. Given the requirement for high privilege authentication, insider threats or compromised administrative accounts pose the greatest risk. Organizations in sectors with complex supplier networks, such as manufacturing, retail, and logistics, may face operational disruptions. Additionally, regulatory compliance risks exist under GDPR if personal or sensitive data is exposed. The medium severity rating suggests a moderate but actionable risk that should be addressed to prevent escalation or lateral movement within networks.

Organizations should immediately audit and restrict administrative access to the Campcodes Supplier Management System, ensuring only trusted personnel have high privilege accounts. Input validation and parameterized queries must be implemented or verified in the /admin/add_product.php script to prevent SQL injection. If patches become available from the vendor, they should be applied promptly. In the absence of patches, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the txtProductName parameter. Regularly monitor logs for suspicious database queries or unauthorized access attempts. Conduct security training for administrators to recognize phishing or credential compromise risks. Segmentation of the supplier management system from other critical infrastructure can limit potential lateral movement. Finally, perform regular backups of supplier data to enable recovery in case of data corruption or deletion.