CVE-2025-9759 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Courier Management System, specifically within the Signup function located in the /ajax.php file. The vulnerability arises due to improper sanitization or validation of the 'lastname' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw can enable an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). No patches have been officially released yet, and while no known exploits are currently observed in the wild, a public exploit has been released, increasing the risk of exploitation.

For European organizations using the Campcodes Courier Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their courier and logistics data. Attackers could extract sensitive customer information, manipulate shipment records, or disrupt courier operations by altering database contents. This could lead to operational downtime, loss of customer trust, regulatory non-compliance (especially under GDPR due to potential personal data exposure), and financial losses. Given the remote and unauthenticated nature of the exploit, attackers can easily target exposed systems over the internet, increasing the likelihood of attacks. Organizations in logistics, supply chain management, and courier services within Europe relying on this software are particularly vulnerable.

Organizations should immediately assess their use of Campcodes Courier Management System version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement the following mitigations: 1) Apply input validation and sanitization on the 'lastname' parameter at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads. 2) Employ parameterized queries or prepared statements in the application code to prevent SQL injection. 3) Restrict network access to the /ajax.php endpoint to trusted IP addresses where feasible. 4) Monitor database and application logs for unusual query patterns or errors indicative of injection attempts. 5) Conduct regular security assessments and penetration tests focusing on injection flaws. 6) Ensure database accounts used by the application have the least privileges necessary to limit the impact of a successful injection. 7) Educate development and operations teams about secure coding practices and the risks of SQL injection.