CVE-2025-5361 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically in the /contact.php file. The vulnerability arises from improper sanitization or validation of the 'fullname' parameter, which is directly used in SQL queries without adequate protection. This flaw allows an unauthenticated remote attacker to inject malicious SQL code, potentially manipulating the backend database. Exploitation could lead to unauthorized data access, modification, or deletion, impacting the confidentiality, integrity, and availability of sensitive hospital management data. The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity, reflecting the ease of remote exploitation without authentication or user interaction, but with limited impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no official patches have been published yet. Given the critical nature of hospital management systems, which store sensitive patient and operational data, this vulnerability poses a significant risk if exploited.

For European organizations, particularly healthcare providers using the Campcodes Online Hospital Management System, this vulnerability could lead to severe consequences. Successful exploitation may result in unauthorized disclosure of patient records, manipulation of hospital operational data, or disruption of healthcare services. Such breaches could violate stringent European data protection regulations like GDPR, leading to legal penalties and reputational damage. Additionally, compromised hospital systems could undermine patient trust and safety. The remote and unauthenticated nature of the attack vector increases the risk of widespread exploitation if the vulnerability remains unpatched. The medium CVSS score suggests that while the impact is significant, it may not lead to complete system takeover or widespread service outages, but targeted data breaches and integrity violations remain a critical concern.

Organizations should immediately conduct a thorough audit of their Campcodes Online Hospital Management System installations to identify affected versions (1.0). Until an official patch is released, implement the following mitigations: 1) Apply Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'fullname' parameter in /contact.php. 2) Employ input validation and sanitization at the application level to reject or properly escape suspicious input. 3) Restrict database user privileges to the minimum necessary to limit the impact of potential injection. 4) Monitor application logs for unusual query patterns or errors indicative of injection attempts. 5) Isolate the hospital management system network segment to reduce exposure. 6) Prepare incident response plans specific to data breaches involving patient information. Once a vendor patch is available, prioritize prompt application and verify remediation through penetration testing focused on SQL injection.