CVE-2025-63719 identifies a SQL Injection vulnerability in Campcodes Online Hospital Management System (OMS) version 1.0. The flaw exists in the /admin/index.php endpoint, where the username parameter is improperly sanitized, allowing attackers to inject malicious SQL code. This vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in SQL commands. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. Successful exploitation can lead to unauthorized data access, modification, or deletion, impacting the confidentiality, integrity, and availability of sensitive hospital data. The CVSS v3.1 base score of 7.3 reflects high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). No patches or known exploits have been reported yet, but the vulnerability demands urgent attention due to the critical nature of healthcare data and potential for widespread impact in hospital environments.

For European organizations, particularly hospitals and healthcare providers using Campcodes OMS, this vulnerability could lead to significant data breaches involving patient records, medical histories, and administrative data. The compromise of such sensitive information could result in violations of GDPR and other data protection regulations, leading to legal and financial penalties. Additionally, attackers could alter or delete critical data, disrupting hospital operations and patient care services. The availability impact could cause denial of service conditions, affecting hospital workflows and emergency response capabilities. The risk extends beyond data loss to reputational damage and erosion of patient trust. Given the interconnected nature of healthcare IT systems, exploitation could also serve as a foothold for further lateral attacks within hospital networks across Europe.

Immediate mitigation should focus on secure coding practices: sanitize and validate all user inputs, especially the username parameter in /admin/index.php, using parameterized queries or prepared statements to prevent SQL Injection. Conduct a thorough code audit of the entire application to identify and remediate similar vulnerabilities. Deploy Web Application Firewalls (WAFs) with SQL Injection detection rules as a temporary protective measure. Monitor logs for suspicious activities targeting the vulnerable endpoint. Restrict access to the admin interface via network segmentation and VPNs to reduce exposure. Implement regular security testing, including automated vulnerability scanning and penetration testing, to detect regressions. Coordinate with Campcodes for official patches or updates and apply them promptly once available. Finally, ensure robust backup and incident response plans are in place to minimize impact if exploitation occurs.