How to fix EUVD-2025-16904?

Within 24 hours: Immediately disable or restrict access to /admin/registration.php; isolate affected systems from external networks if possible; notify key stakeholders and begin vendor contact for patch timeline. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection payloads targeting the full_name parameter; conduct forensic analysis for signs of exploitation; implement enhanced monitoring/logging on the registration module. Within 30 days: Execute a complete migration plan away from this unsupported system version, upgrade to a patched release, or replace the application entirely if vendor support is unavailable.

Is PHP affected by EUVD-2025-16904?

A high-severity SQL injection vulnerability in Campcodes Hospital Management System 1.0 allows remote attackers to exploit the patient registration function, potentially enabling unauthorized access to sensitive patient data and system compromise.

EUVD-2025-16904

| CVE-2025-5602 HIGH

2025-06-04 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16904

PoC Detected

Jun 10, 2025 - 15:09 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 18:15 nvd

HIGH 7.3

Description

A vulnerability, which was classified as critical, was found in Campcodes Hospital Management System 1.0. Affected is an unknown function of the file /admin/registration.php. The manipulation of the argument full_name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Analysis

Critical SQL injection vulnerability in Campcodes Hospital Management System version 1.0 affecting the /admin/registration.php endpoint. An unauthenticated remote attacker can inject arbitrary SQL commands via the 'full_name' parameter, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has public exploit disclosure and demonstrates active exploitation risk in healthcare environments.

Technical Context

The vulnerability exists in the registration.php administrative interface where user-supplied input from the 'full_name' parameter is insufficiently sanitized before being incorporated into SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection') vulnerability, specifically manifesting as SQL injection (CWE-89). The affected application is Campcodes Hospital Management System, a PHP-based healthcare administration platform. The vulnerability exploits insufficient input validation and parameterized query implementation, allowing direct SQL command injection without authentication. The /admin/ path designation suggests this administrative function lacks proper access controls or authentication bypass is possible.

Affected Products

- product: Campcodes Hospital Management System; version: 1.0; component: /admin/registration.php; affected_parameter: full_name; cpe: cpe:2.3:a:campcodes:hospital_management_system:1.0:*:*:*:*:*:*:*; status: Vulnerable

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

EUVD-2025-16904 vulnerability details – vuln.today

Back

EUVD-2025-16904

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-16904

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code