cbcvebase.
CVE-2025-9744
published 2025-08-31

CVE-2025-9744: A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.66%
73.8th percentile
A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited.

Affected

1 ranges
VendorProductVersion rangeFixed in
campcodesonline_loan_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/ajax.php?action=login
path/ajax.php?action=login
commandusername=admin'+or+'1'%3D'1'%23&password=
  • Detect SQL injection authentication bypass attempts against /ajax.php?action=login by inspecting POST body for classic SQLi payloads in the username parameter (e.g., OR '1'='1' patterns with URL-encoded characters).
  • Successful exploitation results in a response body containing 'window.start_load', 'Welcome back Admin', and 'Loan Management System' simultaneously — monitor for these strings in HTTP responses following a POST to /ajax.php?action=login.
  • The Content-Type header 'application/x-www-form-urlencoded' is used in the malicious POST request; inspect POST bodies with this content type to /ajax.php for SQLi patterns in the username field.
  • Absence of 'login-form' in the HTTP response body after a POST to /ajax.php?action=login indicates successful authentication bypass via SQL injection.
  • ·The vulnerability is unauthenticated and remotely exploitable with no privileges required (PR:N, UI:N), meaning any internet-exposed instance of Loan Management System 1.0 is at risk without any preconditions.
  • ·Public exploit code is available on Exploit-DB and PacketStorm, significantly lowering the bar for exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.