CVE-2025-7535 is a critical SQL Injection vulnerability identified in version 1.0 of the Campcodes Sales and Inventory System, specifically within the /pages/reprint_cash.php file. The vulnerability arises from improper sanitization of the 'sid' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring any authentication or user interaction, by injecting crafted SQL commands through the 'sid' argument. This can lead to unauthorized access to the underlying database, allowing attackers to read, modify, or delete sensitive sales and inventory data. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of remote exploitation and the potential for partial confidentiality, integrity, and availability impacts, albeit with limited scope and no privilege or user interaction requirements. Given the nature of sales and inventory systems, exploitation could disrupt business operations, compromise financial records, and expose sensitive commercial information.

For European organizations using Campcodes Sales and Inventory System 1.0, this vulnerability poses a significant risk to operational continuity and data confidentiality. Successful exploitation could lead to unauthorized disclosure of sensitive sales and inventory data, manipulation of transaction records, and potential financial fraud. This could damage business reputation, lead to regulatory non-compliance (e.g., GDPR breaches due to exposure of personal or commercial data), and cause operational disruptions. The remote and unauthenticated nature of the attack increases the likelihood of exploitation, especially in environments where the system is exposed to the internet or inadequately segmented. Additionally, the lack of available patches or mitigations from the vendor exacerbates the risk, requiring organizations to implement compensating controls promptly.

European organizations should immediately audit their deployment of Campcodes Sales and Inventory System to identify affected instances. In the absence of official patches, organizations must implement strict input validation and sanitization at the web application firewall (WAF) or reverse proxy level to block malicious payloads targeting the 'sid' parameter. Network segmentation should be enforced to restrict external access to the vulnerable system, limiting exposure to trusted internal networks only. Monitoring and logging of database queries and web requests should be enhanced to detect anomalous activities indicative of SQL injection attempts. Organizations should also consider deploying runtime application self-protection (RASP) solutions if available. Where feasible, upgrading to a newer, patched version of the software or migrating to alternative solutions should be prioritized. Finally, incident response plans should be updated to address potential exploitation scenarios involving this vulnerability.