CVE-2025-9770
BaseFortify
Publication date: 2025-09-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| campcodes | hospital_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9770 is a SQL injection vulnerability in the Campcodes Hospital Management System 1.0, specifically in the Admin Dashboard Login at the /admin/ path. It occurs because the system does not properly sanitize the Password input, allowing an attacker to inject malicious SQL code. This enables the attacker to bypass authentication by manipulating the SQL query logic, for example by submitting payloads like `Test' OR 1=1 #`, which always evaluate to true. The attack can be performed remotely without any authentication. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized administrative access to the hospital management system remotely. By exploiting the SQL injection flaw, the attacker can bypass authentication controls, potentially compromising the confidentiality, integrity, and availability of the system. This could lead to unauthorized access to sensitive patient data, manipulation or deletion of records, and disruption of hospital operations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /admin/ login interface for SQL injection using payloads such as `Test' OR 1=1 #` in the username and password fields. A simple detection method is to attempt authentication with these payloads and observe if access is granted without valid credentials, indicating a successful SQL injection. Network monitoring tools can also look for suspicious login attempts containing SQL injection patterns targeting the /admin/ path. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the /admin/ login interface to trusted IPs or internal networks, implementing web application firewalls (WAF) to block SQL injection payloads, and monitoring for exploitation attempts. Since no official patch or vendor mitigation is available, replacing the affected product with a secure alternative is recommended. Avoid using the vulnerable version until a fix is released. [2]