CVE-2025-4718 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/customer_add.php file. The vulnerability arises due to improper sanitization or validation of the 'last' argument, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw can be exploited to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even deletion. The vulnerability is classified with a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low complexity, and no privileges or user interaction required. Although the exploit has been publicly disclosed, there are no confirmed reports of active exploitation in the wild. The vulnerability may also affect other parameters, indicating a broader input validation issue within the application. Given the nature of sales and inventory systems, which typically store sensitive customer and transactional data, exploitation could compromise confidentiality and integrity of critical business information.

For European organizations using Campcodes Sales and Inventory System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and inventory data. Successful exploitation could lead to unauthorized disclosure of personally identifiable information (PII), financial records, and inventory details, potentially resulting in regulatory non-compliance under GDPR. Data manipulation could disrupt business operations, cause financial losses, and damage organizational reputation. Since the attack can be launched remotely without authentication, attackers could exploit this vulnerability at scale, increasing the risk of widespread data breaches. Additionally, compromised systems could be leveraged as pivot points for further network intrusion or ransomware attacks, amplifying the overall impact on European enterprises.

Immediate mitigation should focus on applying patches or updates provided by Campcodes once available. In the absence of official patches, organizations should implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'last' parameter and other input fields in /pages/customer_add.php. Input validation and parameterized queries should be enforced at the application level to sanitize all user inputs rigorously. Conducting thorough code reviews and penetration testing can help identify and remediate similar injection points. Network segmentation and strict access controls can limit the exposure of the vulnerable system. Monitoring logs for unusual database query patterns or error messages related to SQL injection attempts is also recommended. Finally, organizations should prepare incident response plans to quickly address potential exploitation events.