CVE-2025-14664 is a SQL injection vulnerability identified in version 1.0 of the Campcodes Supplier Management System, specifically within the /admin/view_unit.php endpoint. The vulnerability arises from improper sanitization of the chkId[] parameter, which is used in SQL queries without adequate validation or parameterization. This allows an unauthenticated attacker to inject malicious SQL code remotely, potentially leading to unauthorized data access, data manipulation, or deletion. The vulnerability is exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no required privileges. The impact on confidentiality, integrity, and availability is low to moderate but still significant for sensitive supplier data. No official patches have been published yet, and while no active exploitation in the wild has been reported, a public exploit exists, which could facilitate attacks. The vulnerability affects only version 1.0 of the product, suggesting that organizations running this version are at risk. The lack of authentication requirement and the remote exploitability make this a critical concern for supply chain and procurement systems relying on Campcodes software.

For European organizations, the exploitation of this vulnerability could lead to unauthorized disclosure of sensitive supplier and procurement data, manipulation of supplier records, or disruption of supplier management operations. This could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR due to potential exposure of personal or business data. Supply chain disruptions could affect manufacturing, retail, and logistics sectors heavily reliant on accurate supplier data. The integrity compromise could lead to fraudulent supplier entries or altered purchase orders, impacting business operations. Availability impacts, while less severe, could still cause downtime or degraded service in supplier management workflows. Given the interconnected nature of supply chains in Europe, a successful attack could have cascading effects across multiple organizations and sectors.

1. Immediate implementation of input validation and sanitization for the chkId[] parameter in /admin/view_unit.php, preferably by using prepared statements or parameterized queries to prevent SQL injection. 2. If patches become available from Campcodes, apply them promptly. 3. Restrict access to the /admin directory and sensitive endpoints via network segmentation and firewall rules to limit exposure. 4. Deploy Web Application Firewalls (WAFs) with SQL injection detection and prevention capabilities to block malicious payloads targeting this vulnerability. 5. Conduct thorough code reviews and security testing on all supplier management system components to identify and remediate similar injection flaws. 6. Monitor logs and network traffic for unusual queries or access patterns indicative of exploitation attempts. 7. Educate IT and security teams about this vulnerability and ensure incident response plans include scenarios involving supplier management system compromise. 8. Consider isolating the supplier management system from the internet or restricting access to trusted IPs only, reducing the attack surface.