CVE-2025-9744
Published: 31 August 2025
Summary
CVE-2025-9744 is a medium-severity Injection (CWE-74) vulnerability in Campcodes Online Loan Management System. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.
The vulnerability permits unauthenticated remote attackers to inject arbitrary SQL commands via the login endpoint, potentially resulting in unauthorized data access or modification within the affected loan management application. Publicly disclosed proof-of-concept code increases the likelihood of automated or targeted exploitation against exposed instances.
EPSS scores for this CVE have risen from an initial low of 0.0094 to a peak of 0.0168, indicating emerging exploitation interest after disclosure. No vendor patches or specific mitigation guidance are detailed in the referenced advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26307
Vulnerability details
A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely.…
more
The exploit has been made available to the public and could be exploited.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated login endpoint (ajax.php?action=login) enables exploitation of public-facing web application (T1190) and arbitrary database queries for unauthorized data access/collection (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection attacks by requiring validation of untrusted inputs like the Username argument in the /ajax.php?action=login endpoint.
Mandates timely identification, reporting, and correction of the specific SQL injection flaw in Campcodes Online Loan Management System 1.0.
Requires vulnerability scanning to detect the SQLi vulnerability in the login endpoint and subsequent remediation to prevent exploitation.