CVE-2025-5676 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System. The vulnerability exists in the /admin/ajax.php endpoint, specifically in the 'login' action parameter where the 'Username' argument is improperly sanitized. This flaw allows an unauthenticated remote attacker to inject malicious SQL code through the Username parameter, potentially manipulating backend database queries. Exploitation of this vulnerability can lead to unauthorized data access, data modification, or even complete compromise of the recruitment system's database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. Although the CVSS 4.0 score is 6.9 (medium severity), the potential impact on confidentiality, integrity, and availability of sensitive recruitment data is significant. No official patches or mitigations have been published yet, and while no known exploits are currently active in the wild, public disclosure of the exploit code increases the likelihood of exploitation attempts. The vulnerability affects only version 1.0 of the product, which may still be in use by some organizations relying on this recruitment management system.

For European organizations using Campcodes Online Recruitment Management System 1.0, this vulnerability poses a serious threat to the confidentiality and integrity of recruitment data, including personal identifiable information (PII) of job applicants and internal HR data. Exploitation could lead to unauthorized data disclosure, data tampering, or disruption of recruitment operations. This could result in regulatory non-compliance under GDPR due to data breaches, reputational damage, and potential financial penalties. Additionally, attackers could leverage the compromised system as a foothold to pivot into broader corporate networks, escalating the impact beyond the recruitment system itself. Given the remote and unauthenticated nature of the exploit, attackers can target vulnerable systems over the internet without prior access, increasing the risk for organizations with externally accessible recruitment portals.

Organizations should immediately audit their use of Campcodes Online Recruitment Management System to identify any instances of version 1.0. Since no official patch is currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the /admin/ajax.php?action=login endpoint, focusing on anomalous input in the Username parameter. 2) Restrict external access to the administration interface by IP whitelisting or VPN access to reduce exposure. 3) Conduct input validation and sanitization at the application layer if source code access is available, applying parameterized queries or prepared statements for database interactions. 4) Monitor logs for suspicious login attempts or unusual database errors indicative of injection attempts. 5) Plan for an urgent upgrade or replacement of the vulnerable system once a patch or newer secure version is released by the vendor. 6) Educate IT and security teams about this vulnerability to ensure rapid detection and response to potential exploitation attempts.