CVE-2025-9678 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Loan Management System. The vulnerability exists in the /ajax.php endpoint, specifically when the action parameter is set to delete_borrower and the ID argument is manipulated. This allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. The injection flaw can lead to unauthorized access to the backend database, enabling attackers to read, modify, or delete sensitive loan management data, including borrower information. The vulnerability is exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has low complexity (AC:L). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). The vulnerability has a CVSS 4.0 base score of 6.9, categorized as medium severity. Although no public exploit is confirmed in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. No official patches or mitigations have been published by the vendor yet, which leaves systems running this version exposed to potential attacks. The vulnerability could be leveraged by attackers to compromise loan management operations, potentially leading to data breaches, financial fraud, or disruption of services.

For European organizations using Campcodes Online Loan Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive financial and personal data of borrowers. Exploitation could lead to unauthorized data disclosure, manipulation of loan records, or deletion of critical data, impacting business operations and customer trust. Financial institutions and loan service providers in Europe could face regulatory penalties under GDPR if personal data is compromised. Additionally, the disruption of loan management services could affect operational continuity and customer service. The medium severity rating suggests a moderate but tangible risk, especially given the public availability of exploit code. Organizations relying on this software should consider the threat serious due to the potential financial and reputational damage, as well as compliance implications within the European regulatory environment.

European organizations should immediately audit their use of Campcodes Online Loan Management System to identify any deployments of version 1.0. Since no official patch is currently available, organizations should implement the following mitigations: 1) Apply Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the /ajax.php?action=delete_borrower endpoint and the ID parameter. 2) Conduct input validation and sanitization at the application level to reject or properly escape suspicious input values. 3) Restrict access to the vulnerable endpoint by IP whitelisting or network segmentation to limit exposure. 4) Monitor logs and network traffic for unusual activity indicative of SQL injection attempts. 5) Consider upgrading or migrating to a newer, patched version of the software once available. 6) Implement database-level protections such as least privilege accounts and query parameterization to reduce the impact of injection attacks. 7) Educate IT and security teams about this vulnerability and ensure incident response plans are updated to handle potential exploitation scenarios.