CVE-2025-5229 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically within the /admin/view-patient.php file. The vulnerability arises from improper sanitization or validation of the 'viewid' parameter, which is used in SQL queries to retrieve patient information. An attacker can manipulate this parameter remotely without any authentication or user interaction to inject malicious SQL code. This can lead to unauthorized access to sensitive patient data, modification or deletion of database records, and potentially full compromise of the underlying database server. The vulnerability is rated with a CVSS 4.0 score of 6.9, indicating a medium severity level, primarily due to the lack of authentication requirements and ease of remote exploitation, but with limited impact on confidentiality, integrity, and availability as per the CVSS vector. However, given the critical nature of healthcare data, the real-world impact could be more severe if exploited. No public exploits are currently known in the wild, and no official patches have been released yet. The vulnerability affects only version 1.0 of the product, which is used in hospital management to handle sensitive patient records, making it a high-value target for attackers seeking to access or disrupt healthcare operations.

For European organizations, particularly hospitals and healthcare providers using the Campcodes Online Hospital Management System version 1.0, this vulnerability poses a significant risk to patient data confidentiality and integrity. Exploitation could lead to unauthorized disclosure of personal health information (PHI), violating GDPR regulations and resulting in legal and financial penalties. Additionally, attackers could alter or delete patient records, potentially disrupting clinical workflows and patient care. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if the system is accessible over the internet. This could also lead to reputational damage and loss of trust in healthcare institutions. Given the critical role of healthcare infrastructure, successful exploitation might also impact availability indirectly by forcing system shutdowns or emergency responses to contain breaches.

Organizations should immediately audit their use of Campcodes Online Hospital Management System version 1.0 and restrict external access to the /admin/view-patient.php endpoint through network segmentation and firewall rules. Input validation and parameterized queries should be implemented to sanitize the 'viewid' parameter, preventing SQL injection. If source code access is available, developers should refactor the vulnerable code to use prepared statements or ORM frameworks that inherently protect against injection. Until an official patch is released, deploying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection patterns targeting the 'viewid' parameter is recommended. Regular monitoring of logs for suspicious query patterns and unusual database activity should be enforced. Additionally, organizations should prepare incident response plans specific to healthcare data breaches and ensure backups are up-to-date to recover from potential data tampering or loss.