CVE-2025-9744

HighPublic PoC

Published: 31 August 2025

Published

31 August 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0127 79.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9744 is a high-severity Injection (CWE-74) vulnerability in Campcodes Online Loan Management System. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks by requiring validation of untrusted inputs like the Username argument in the /ajax.php?action=login endpoint.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific SQL injection flaw in Campcodes Online Loan Management System 1.0.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Requires vulnerability scanning to detect the SQLi vulnerability in the login endpoint and subsequent remediation to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in unauthenticated login endpoint (ajax.php?action=login) enables exploitation of public-facing web application (T1190) and arbitrary database queries for unauthorized data access/collection (T1213.006).

NVD Description

A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely.…

The exploit has been made available to the public and could be exploited.

Deeper analysisAI

CVE-2025-9744 is a SQL injection vulnerability (CWE-74, CWE-89) in Campcodes Online Loan Management System 1.0. The flaw resides in an unknown function within the file /ajax.php?action=login, where manipulation of the Username argument triggers the injection. Published on 2025-08-31, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and ease of exploitation.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the login endpoint. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the application's database. A public exploit is available, increasing the risk of widespread abuse.

Advisories on VulDB (ctiid.322043, id.322043, submit.640335) document the issue and recent submission details, while a GitHub repository (gggg6886/CVE/issues/1) hosts the exploit. The vendor's site at campcodes.com provides context on the affected software, though specific patch guidance is referenced in these sources.

The exploit's public availability heightens the potential for real-world exploitation against unpatched instances of this loan management system.

Details

CWE(s): CWE-74 CWE-89

Affected Products

campcodes

online loan management system

1.0

CVEs Like This One

CVE-2025-0210Same vendor: Campcodes

CVE-2025-7183Same vendor: Campcodes

CVE-2025-0212Same vendor: Campcodes

CVE-2024-57162Same vendor: Campcodes

CVE-2025-7220Same vendor: Campcodes

CVE-2025-7218Same vendor: Campcodes

CVE-2025-7219Same vendor: Campcodes

CVE-2026-0597Same vendor: Campcodes

CVE-2025-7217Same vendor: Campcodes

CVE-2024-13092Shared CWE-74, CWE-89

References

https://github.com/gggg6886/CVE/issues/1
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.322043
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.322043
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.640335
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.campcodes.com/
Product · cna@vuldb.com
https://github.com/gggg6886/CVE/issues/1
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0