CVE-2025-14664 is a SQL injection vulnerability identified in Campcodes Supplier Management System version 1.0, specifically within the /admin/view_unit.php script. The vulnerability stems from improper sanitization of the chkId[] parameter, which is processed in a way that allows attackers to inject arbitrary SQL commands. This flaw enables remote attackers to execute unauthorized SQL queries without requiring authentication or user interaction, potentially leading to unauthorized data access, data modification, or disruption of database availability. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is limited but non-negligible, as attackers can partially compromise the database. Although no active exploitation has been reported, a public exploit is available, increasing the likelihood of future attacks. The vulnerability affects only version 1.0 of the Campcodes Supplier Management System, which is used for managing supplier data and procurement processes. The lack of patches or vendor advisories at this time necessitates immediate defensive measures by users. The vulnerability highlights the importance of secure coding practices such as input validation and the use of parameterized queries to prevent injection attacks.

For European organizations using Campcodes Supplier Management System 1.0, this vulnerability poses a risk of unauthorized access to sensitive supplier and procurement data, which can lead to data breaches, intellectual property theft, or manipulation of supplier records. The integrity of procurement processes could be compromised, potentially causing financial losses or supply chain disruptions. Availability impacts, while limited, could affect operational continuity if database corruption or denial of service occurs. Given the system’s role in supplier management, attacks could also undermine trust with partners and regulatory compliance, especially under GDPR where data breaches must be reported. The presence of a public exploit increases the urgency for European entities to address this vulnerability promptly. Organizations in sectors with complex supply chains, such as manufacturing, automotive, and retail, are particularly at risk. The medium severity rating suggests that while the threat is not critical, it is significant enough to warrant immediate attention to avoid escalation or lateral movement by attackers.

1. Immediately restrict access to the /admin/view_unit.php endpoint to trusted administrative IPs or VPN users to reduce exposure. 2. Implement strict input validation and sanitization on the chkId[] parameter to ensure only expected numeric or alphanumeric values are accepted. 3. Refactor the backend code to use parameterized queries or prepared statements to eliminate SQL injection vectors. 4. Monitor logs for unusual or suspicious SQL query patterns targeting the chkId[] parameter or the affected endpoint. 5. Conduct a thorough security audit of the entire Campcodes Supplier Management System to identify and remediate any other injection or input validation issues. 6. Engage with the vendor or development team to obtain or request a security patch or updated version addressing this vulnerability. 7. Educate administrative users on the risks of SQL injection and enforce strong authentication and session management controls. 8. Consider deploying web application firewalls (WAF) with custom rules to detect and block SQL injection attempts targeting this system. 9. Regularly back up supplier management data and test restoration procedures to mitigate potential data loss from exploitation.