CVE-2025-9529
Published: 27 August 2025
Summary
CVE-2025-9529 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Campcodes Payroll Management System. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25885
Vulnerability details
A weakness has been identified in Campcodes Payroll Management System 1.0. The affected element is the function include of the file /index.php. This manipulation of the argument page causes file inclusion. The attack is possible to be carried out remotely.…
more
The exploit has been made available to the public and could be exploited.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in /index.php enables remote exploitation of a public-facing web application (T1190), arbitrary local file reads for data collection (T1005), file and directory discovery via path traversal (T1083), and access to credentials in files (T1081).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.