CVE-2025-6422 is a vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System, specifically within the /admin/ajax.php endpoint when invoked with the action=save_settings parameter related to the About Content Page component. The vulnerability arises from improper validation of the 'img' argument, which allows an attacker to perform an unrestricted file upload. This means that an attacker can upload arbitrary files, potentially including malicious scripts or executables, to the server hosting the recruitment system. The vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). However, a low privilege level (PR:L) is required, implying that the attacker must have some limited authenticated access to the system. The CVSS 4.0 base score is 5.3, categorized as medium severity, reflecting the partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit has been publicly disclosed but there are no known exploits actively used in the wild at this time. The lack of available patches or mitigations from the vendor increases the risk for organizations using this software. Unrestricted file upload vulnerabilities are critical because they can lead to remote code execution, server compromise, data theft, or service disruption if exploited successfully. Given the recruitment system's role in managing sensitive candidate and organizational data, exploitation could lead to significant data breaches or operational impacts.

For European organizations using Campcodes Online Recruitment Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of recruitment and HR data. Attackers exploiting the unrestricted upload could deploy web shells or malware to gain persistent access, exfiltrate sensitive personal data of candidates and employees, or disrupt recruitment operations. This could lead to regulatory non-compliance under GDPR due to personal data exposure, reputational damage, and financial penalties. Additionally, if the recruitment system is integrated with other internal HR or enterprise systems, lateral movement by attackers could further compromise organizational IT infrastructure. The medium CVSS score underestimates the potential impact if the vulnerability is chained with other weaknesses or if the attacker has elevated privileges. The absence of known active exploitation reduces immediate risk but does not eliminate the threat, especially as exploit code is publicly available. Organizations relying on this system should consider the criticality of recruitment data and the potential for operational disruption in their risk assessments.

1. Immediate mitigation should include restricting access to the /admin/ajax.php endpoint to trusted administrators only, ideally via network segmentation or VPN access controls, to reduce exposure to unauthenticated or low-privilege attackers. 2. Implement strict input validation and file type restrictions on the 'img' parameter to prevent uploading executable or script files. 3. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts targeting this endpoint. 4. Monitor server logs and file system changes for unusual uploads or modifications in the web root or upload directories. 5. If possible, disable or remove the vulnerable About Content Page functionality until a vendor patch is available. 6. Conduct regular security audits and penetration tests focusing on file upload functionalities. 7. Apply the principle of least privilege for user accounts to limit the impact of compromised credentials. 8. Engage with the vendor for timely patch releases and subscribe to vulnerability advisories for updates. 9. Consider deploying endpoint detection and response (EDR) solutions on servers hosting the system to detect post-exploitation activities.