Cyber Resilience

CVE-2025-9744

MediumPublic PoC

Published: 31 August 2025

Published
31 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0094 76.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9744 is a medium-severity Injection (CWE-74) vulnerability in Campcodes Online Loan Management System. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.

The vulnerability permits unauthenticated remote attackers to inject arbitrary SQL commands via the login endpoint, potentially resulting in unauthorized data access or modification within the affected loan management application. Publicly disclosed proof-of-concept code increases the likelihood of automated or targeted exploitation against exposed instances.

EPSS scores for this CVE have risen from an initial low of 0.0094 to a peak of 0.0168, indicating emerging exploitation interest after disclosure. No vendor patches or specific mitigation guidance are detailed in the referenced advisories.

EU & UK References

Vulnerability details

A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely.…

more

The exploit has been made available to the public and could be exploited.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in unauthenticated login endpoint (ajax.php?action=login) enables exploitation of public-facing web application (T1190) and arbitrary database queries for unauthorized data access/collection (T1213.006).

CVEs Like This One

CVE-2025-0210Same vendor: Campcodes
CVE-2025-7183Same vendor: Campcodes
CVE-2025-0212Same vendor: Campcodes
CVE-2026-0597Same vendor: Campcodes
CVE-2025-7220Same vendor: Campcodes
CVE-2025-7218Same vendor: Campcodes
CVE-2025-7219Same vendor: Campcodes
CVE-2025-7217Same vendor: Campcodes
CVE-2024-57162Same vendor: Campcodes
CVE-2025-0336Shared CWE-74, CWE-89

Affected Assets

campcodes
online loan management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection attacks by requiring validation of untrusted inputs like the Username argument in the /ajax.php?action=login endpoint.

prevent

Mandates timely identification, reporting, and correction of the specific SQL injection flaw in Campcodes Online Loan Management System 1.0.

preventdetect

Requires vulnerability scanning to detect the SQLi vulnerability in the login endpoint and subsequent remediation to prevent exploitation.

References