CVE-2025-9770
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Campcodes Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ of the component Admin Dashboard Login. This manipulation of the argument Password causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9770
EUVD
EUVD-2025-26334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
campcodes hospital_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9770 is a SQL injection vulnerability in the Campcodes Hospital Management System 1.0, specifically in the Admin Dashboard Login at the /admin/ path. It occurs because the system does not properly sanitize the Password input, allowing an attacker to inject malicious SQL code. This enables the attacker to bypass authentication by manipulating the SQL query logic, for example by submitting payloads like `Test' OR 1=1 #`, which always evaluate to true. The attack can be performed remotely without any authentication. [1, 2]

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized administrative access to the hospital management system remotely. By exploiting the SQL injection flaw, the attacker can bypass authentication controls, potentially compromising the confidentiality, integrity, and availability of the system. This could lead to unauthorized access to sensitive patient data, manipulation or deletion of records, and disruption of hospital operations. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the /admin/ login interface for SQL injection using payloads such as `Test' OR 1=1 #` in the username and password fields. A simple detection method is to attempt authentication with these payloads and observe if access is granted without valid credentials, indicating a successful SQL injection. Network monitoring tools can also look for suspicious login attempts containing SQL injection patterns targeting the /admin/ path. [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the /admin/ login interface to trusted IPs or internal networks, implementing web application firewalls (WAF) to block SQL injection payloads, and monitoring for exploitation attempts. Since no official patch or vendor mitigation is available, replacing the affected product with a secure alternative is recommended. Avoid using the vulnerable version until a fix is released. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart