CVE-2025-8190 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Courier Management System, specifically within the /print_pdets.php file. The vulnerability arises from improper sanitization or validation of the 'ids' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or disruption of service. Although the CVSS 4.0 score is rated at 5.3 (medium severity), the vulnerability's characteristics—remote exploitability without authentication and direct impact on data integrity and confidentiality—make it a significant concern. The lack of a patch or mitigation guidance at the time of disclosure increases the risk, especially since the exploit details have been publicly disclosed, which could facilitate exploitation by threat actors. The vulnerability affects only version 1.0 of the product, which may limit the scope but still poses a critical risk to organizations using this specific version.

For European organizations utilizing Campcodes Courier Management System 1.0, this vulnerability could lead to unauthorized access to sensitive courier and shipment data, including customer information, shipment details, and internal logistics data. Exploitation could result in data breaches, loss of data integrity, and potential disruption of courier operations, impacting business continuity and customer trust. Given the critical nature of courier services in supply chain and logistics sectors, especially in countries with high e-commerce activity, the impact could extend to financial losses and regulatory penalties under GDPR if personal data is compromised. Additionally, attackers could leverage this vulnerability to pivot within the network, escalating the threat beyond the affected application. The medium CVSS rating may underestimate the real-world impact due to the potential for data exfiltration and operational disruption.

Organizations should immediately audit their use of Campcodes Courier Management System to determine if version 1.0 is deployed. If so, they should restrict access to the affected /print_pdets.php endpoint through network segmentation and web application firewalls (WAF) with rules to detect and block SQL injection patterns targeting the 'ids' parameter. Input validation and parameterized queries should be implemented by the vendor or through custom patches if possible. Monitoring and logging of database queries and web requests should be enhanced to detect anomalous activity. Until an official patch is released, organizations should consider disabling the vulnerable functionality if feasible or deploying compensating controls such as strict IP whitelisting and multi-factor authentication on management interfaces. Regular backups and incident response plans should be updated to handle potential exploitation scenarios.