CVE-2025-6567 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System, specifically within the file Recruitment/admin/view_application.php. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is used in SQL queries to retrieve application data. An attacker can remotely manipulate this parameter to inject arbitrary SQL commands, potentially allowing unauthorized access to the underlying database. This can lead to unauthorized data disclosure, data modification, or even complete compromise of the database server. The vulnerability does not require any authentication or user interaction, making it exploitable by any remote attacker with network access to the affected system. Although the CVSS 4.0 score is rated at 6.9 (medium severity), the nature of SQL injection vulnerabilities typically poses significant risks, especially when exploited in administrative modules. No official patches or mitigations have been published yet, and while no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is an online recruitment management system used to handle job applications and candidate data, making the confidentiality and integrity of sensitive personal and organizational data at risk.

For European organizations using Campcodes Online Recruitment Management System version 1.0, this vulnerability could lead to severe consequences. Attackers exploiting the SQL injection could access sensitive applicant data, including personal identifiable information (PII), resumes, and potentially internal recruitment decisions, violating GDPR and other data protection regulations. The integrity of recruitment data could be compromised, leading to manipulation of candidate evaluations or insertion of fraudulent data. Availability could also be affected if attackers execute destructive SQL commands or cause database corruption. Given that recruitment systems often integrate with HR and payroll systems, a compromise could cascade into broader organizational impacts. This could result in reputational damage, regulatory fines, and operational disruptions. The remote, unauthenticated nature of the exploit increases the attack surface, especially for organizations exposing the recruitment system to the internet without adequate network segmentation or access controls.

To mitigate this vulnerability, European organizations should immediately audit their deployment of Campcodes Online Recruitment Management System to identify if version 1.0 is in use. If so, they should isolate the affected system from public internet access by implementing strict network segmentation and firewall rules restricting access to trusted internal IPs only. Input validation and parameterized queries should be enforced at the application level; if source code access is available, developers should refactor the vulnerable code to use prepared statements or stored procedures to prevent SQL injection. In the absence of an official patch, organizations can deploy Web Application Firewalls (WAFs) with custom rules to detect and block malicious SQL injection payloads targeting the 'ID' parameter in the affected endpoint. Continuous monitoring of logs for suspicious query patterns and unusual database activity is recommended. Additionally, organizations should prepare incident response plans to quickly address potential exploitation and consider conducting penetration testing focused on this vulnerability. Finally, organizations should engage with the vendor for patch updates and apply them promptly once available.