CVE-2025-5359 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically within the /appointment-history.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is susceptible to malicious SQL payloads. An attacker can remotely exploit this flaw without requiring authentication or user interaction, enabling them to manipulate backend database queries. This can lead to unauthorized data access, data modification, or even complete compromise of the database. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. However, the impact on confidentiality, integrity, and availability is rated as low individually, which moderates the overall severity. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no patches have been published yet. Given the nature of hospital management systems, the exposure of sensitive patient data or disruption of healthcare operations could have serious consequences.

For European organizations, particularly healthcare providers using Campcodes Online Hospital Management System 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to sensitive patient records, violating GDPR requirements for data protection and privacy. Data integrity could be compromised, potentially affecting clinical decisions and patient safety. Availability impacts, while rated low, could still disrupt appointment scheduling and hospital workflows, leading to operational delays. The reputational damage and regulatory penalties from data breaches in healthcare are substantial in Europe. Additionally, the remote and unauthenticated nature of the exploit increases the attack surface, especially for hospitals with internet-facing systems or insufficient network segmentation. The lack of a patch means organizations must rely on compensating controls until a fix is available.

European healthcare organizations should immediately audit their use of Campcodes Online Hospital Management System version 1.0 and identify any internet-exposed instances of the /appointment-history.php endpoint. Network-level mitigations such as web application firewalls (WAFs) should be configured with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter. Strict input validation and parameterized queries should be implemented by the vendor in future patches; meanwhile, organizations can restrict access to the affected endpoint via network segmentation and VPNs. Continuous monitoring of logs for suspicious database query patterns or unusual access to appointment history data is recommended. Organizations should also prepare incident response plans for potential data breaches and ensure compliance with GDPR breach notification requirements. Promptly applying vendor patches once available is critical. If feasible, consider migrating to a newer, unaffected version or alternative hospital management systems with robust security.