CVE-2025-5360 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically within the /book-appointment.php file. The vulnerability arises from improper sanitization or validation of the 'doctor' parameter, which is directly used in SQL queries. This flaw allows an unauthenticated remote attacker to inject malicious SQL code, potentially manipulating the backend database. The attack vector requires no authentication or user interaction, making exploitation straightforward if the system is accessible over the network. The CVSS 4.0 score is 6.9, indicating a medium severity level, with network attack vector, low complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated as low individually, but combined they can lead to significant data exposure or manipulation. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. The vulnerability affects a critical healthcare management system component, potentially exposing sensitive patient appointment data and hospital operational information. The lack of available patches or mitigations from the vendor further exacerbates the risk.

For European organizations, especially hospitals and healthcare providers using the Campcodes Online Hospital Management System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to patient appointment records, manipulation of scheduling data, or extraction of sensitive healthcare information, violating GDPR and other data protection regulations. This could result in reputational damage, regulatory fines, and disruption of hospital operations. Given the critical nature of healthcare services, any disruption or data breach could have severe consequences for patient care and trust. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or ransomware deployment, compounding the impact.

Organizations should immediately audit their use of the Campcodes Online Hospital Management System version 1.0 and isolate affected instances from public networks where possible. Since no official patches are available, implement web application firewall (WAF) rules specifically targeting SQL injection patterns on the 'doctor' parameter in /book-appointment.php. Employ input validation and parameterized queries if source code access is available to developers or administrators. Conduct thorough logging and monitoring for suspicious database queries or anomalous access patterns. Segregate the hospital management system database from other critical infrastructure to limit lateral movement. Engage with the vendor for timely patch releases and consider alternative systems if remediation is delayed. Additionally, ensure regular backups of appointment and patient data to enable recovery in case of data tampering.