CVE-2025-8950 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Recruitment Management System. The vulnerability arises from improper handling of the 'ID' parameter in the /Recruitment/index.php?page=view_vacancy endpoint. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the underlying database. This can lead to unauthorized data disclosure, data modification, or even deletion of records. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector details show that the attack can be performed over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). No patches or fixes have been publicly disclosed yet, and no known exploits are currently observed in the wild, although public disclosure of the exploit code exists, which could facilitate future attacks.

For European organizations using Campcodes Online Recruitment Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of recruitment data, including sensitive candidate information and internal hiring processes. Exploitation could lead to data breaches exposing personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Additionally, attackers could manipulate or delete recruitment records, disrupting HR operations and potentially causing operational downtime. Since the vulnerability is remotely exploitable without authentication, attackers can target exposed systems directly, increasing the likelihood of compromise. Organizations relying on this system for critical recruitment workflows may face operational and compliance risks. The partial impact on availability could also affect service continuity, further impacting business functions.

Immediate mitigation steps include implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the vulnerable parameter. Organizations should conduct thorough input validation and sanitization on the 'ID' parameter, employing parameterized queries or prepared statements to prevent injection. Since no official patch is available, organizations should consider isolating or restricting access to the affected endpoint to trusted internal networks only. Regular monitoring of web server logs for suspicious query patterns related to the 'ID' parameter is recommended to detect potential exploitation attempts early. Additionally, organizations should prepare for rapid deployment of patches once released by the vendor and consider conducting a security audit of the entire recruitment system to identify other potential injection points. Backup and recovery plans should be reviewed and tested to mitigate the impact of potential data tampering or loss.