CVE-2025-7119 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Complaint Management System, specifically within an unspecified functionality of the /users/index.php file. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known active exploits have been reported in the wild yet. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of remote exploitation without privileges or user interaction, but with limited impact on confidentiality, integrity, and availability (each rated low). The attack vector is network-based, requiring no authentication or user interaction, and the scope is unchanged, meaning the vulnerability affects only the vulnerable component. The lack of a patch or mitigation details in the disclosure suggests that organizations using this system remain exposed until a fix is released or workarounds are implemented.

For European organizations using the Campcodes Complaint Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of complaint data, which may include sensitive personal information protected under GDPR. Successful exploitation could lead to unauthorized data access, data leakage, or manipulation of complaint records, undermining trust and potentially resulting in regulatory penalties. Additionally, attackers could leverage the SQL injection to escalate privileges or pivot to other internal systems if the database contains credentials or other sensitive configuration data. The remote, unauthenticated nature of the attack increases the threat level, especially for organizations with internet-facing complaint management portals. Disruption of complaint handling processes could also impact operational availability and customer service quality. Given the criticality of complaint management in sectors such as public services, healthcare, and consumer protection, the impact could be substantial if exploited.

European organizations should immediately audit their deployment of the Campcodes Complaint Management System to determine if version 1.0 is in use. Until an official patch is released, organizations should implement the following mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'Username' parameter in /users/index.php; 2) Restrict access to the complaint management system to trusted IP ranges or via VPN to reduce exposure; 3) Conduct input validation and sanitization at the application layer if source code access is available, especially for the 'Username' parameter; 4) Monitor logs for suspicious SQL queries or unusual access patterns; 5) Segregate the database with least privilege principles to limit the impact of potential exploitation; 6) Prepare for rapid patch deployment once a vendor fix becomes available; 7) Educate staff on incident response procedures related to data breaches involving complaint data.