CVE-2025-5364 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Hospital Management System, specifically within the /doctor/add-patient.php file. The vulnerability arises from improper sanitization or validation of the 'patname' parameter, which is used in SQL queries without adequate protection against malicious input. An attacker can exploit this flaw remotely without any authentication or user interaction, by injecting crafted SQL code into the 'patname' parameter. This can lead to unauthorized access to the underlying database, allowing an attacker to read, modify, or delete sensitive patient data, manipulate hospital records, or potentially escalate privileges within the system. The vulnerability is classified with a CVSS 4.0 base score of 6.9 (medium severity), reflecting the ease of remote exploitation without authentication but with limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of an official patch or mitigation guidance from the vendor further elevates the threat to organizations using this system. Given the critical nature of healthcare data and the role of hospital management systems in patient care, exploitation could disrupt healthcare operations and compromise patient privacy.

For European organizations, particularly hospitals and healthcare providers using Campcodes Online Hospital Management System 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of sensitive patient health information, violating GDPR requirements and resulting in legal and financial penalties. Data integrity could be compromised, leading to incorrect patient records, which may affect clinical decisions and patient safety. Availability of the hospital management system could also be impacted if attackers manipulate or delete critical data, potentially disrupting hospital workflows and emergency response. The reputational damage from a breach could be severe, undermining patient trust and confidence in healthcare providers. Additionally, healthcare institutions are often targeted by cybercriminals and nation-state actors due to the critical nature of their services and data, increasing the likelihood of targeted attacks leveraging this vulnerability.

Organizations should immediately audit their use of Campcodes Online Hospital Management System version 1.0 and isolate affected instances. Since no official patch is currently available, the following specific mitigations are recommended: (1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'patname' parameter in /doctor/add-patient.php. (2) Apply input validation and sanitization at the application level to reject or properly escape special characters in user inputs. (3) Restrict database user permissions to the minimum necessary, preventing unauthorized data modification or access. (4) Monitor logs for unusual database queries or failed injection attempts to detect exploitation attempts early. (5) Consider migrating to alternative hospital management systems or updated versions once patches are released. (6) Conduct regular security assessments and penetration testing focused on injection flaws. (7) Educate IT and security staff about this vulnerability and ensure incident response plans include scenarios involving SQL injection attacks.