CVE-2025-13424 identifies a SQL injection vulnerability in Campcodes Supplier Management System version 1.0, located in the /admin/add_product.php script. The vulnerability arises from improper sanitization and validation of the txtProductName parameter, which is directly incorporated into SQL queries. This flaw enables an authenticated remote attacker with high privileges to inject malicious SQL code, potentially allowing unauthorized reading, modification, or deletion of database records. The vulnerability does not require user interaction but does require authentication, which limits exposure to some extent. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and high privileges required (PR:H). The impact on confidentiality, integrity, and availability is low to limited, reflecting partial compromise rather than full system takeover. No patches have been publicly released yet, and no known exploits are detected in the wild, but the public disclosure increases the risk of exploitation attempts. The vulnerability affects only version 1.0 of the product, suggesting that upgrading or patching is critical. The lack of secure coding practices around input validation and parameterized queries is the root cause. Organizations using this system in their supply chain management should conduct immediate security assessments and apply mitigations to prevent exploitation.

For European organizations, especially those in manufacturing, logistics, and supply chain management relying on Campcodes Supplier Management System 1.0, this vulnerability poses risks of unauthorized data access and manipulation. Attackers exploiting this flaw could extract sensitive supplier and product information, alter product data, or disrupt supply chain operations. This could lead to financial losses, reputational damage, and regulatory non-compliance, particularly under GDPR if personal or sensitive data is involved. The requirement for high privileges reduces the risk of external attackers without credentials but insider threats or compromised accounts could be leveraged. Disruption of supplier management processes could affect production timelines and contractual obligations. The medium severity suggests a moderate but actionable risk that should not be ignored. The absence of known exploits in the wild currently limits immediate impact but public disclosure increases the likelihood of future attacks.

1. Immediately audit and restrict access to the /admin/add_product.php functionality to trusted administrators only, enforcing strong authentication and monitoring. 2. Implement parameterized queries or prepared statements in the codebase to eliminate SQL injection vectors, specifically sanitizing the txtProductName input. 3. Conduct a comprehensive code review of all input handling in the Supplier Management System to identify and remediate similar vulnerabilities. 4. Deploy Web Application Firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting this endpoint. 5. Monitor logs for unusual database queries or failed login attempts that may indicate exploitation attempts. 6. Coordinate with Campcodes vendor for official patches or updates and apply them promptly once available. 7. Educate administrators on secure credential management to prevent privilege escalation. 8. Consider network segmentation to isolate the supplier management system from critical infrastructure to limit lateral movement in case of compromise.