CVE-2025-10112 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Student Information Management System (SIMS). The vulnerability exists in an unspecified function within the file /admin/modules/department/index.php, where the manipulation of the 'ID' parameter allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, as the injected SQL commands can be used to extract sensitive student data, modify records, or disrupt system operations. The CVSS 4.0 base score is 6.9, categorizing it as a medium severity issue. Although no public exploits have been observed in the wild yet, the exploit code has been publicly disclosed, increasing the risk of exploitation. The vulnerability does not require privileges or user interaction, making it easier for attackers to leverage. The affected product is a Student Information Management System, which typically stores sensitive educational and personal data, making the impact potentially significant for institutions using this software. No official patches or mitigation links have been published at the time of this report.

For European organizations, particularly educational institutions using the itsourcecode Student Information Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of student and administrative data. Exploitation could lead to unauthorized disclosure of personally identifiable information (PII), academic records, and potentially financial data if stored within the system. Data tampering could disrupt academic operations, affecting enrollment, grading, and departmental management. The availability of the system could also be compromised if attackers execute destructive SQL commands. Given the remote and unauthenticated nature of the exploit, attackers could target multiple institutions simultaneously, leading to widespread data breaches and operational disruptions. This could also result in regulatory non-compliance issues under GDPR, leading to legal and financial repercussions for affected organizations.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the vulnerable application by limiting inbound traffic to trusted IP addresses or VPNs; 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in /admin/modules/department/index.php; 3) Conducting thorough input validation and sanitization on all user-supplied parameters, especially 'ID', to prevent injection; 4) Monitoring application logs for suspicious query patterns or repeated failed attempts indicative of SQL injection probes; 5) Isolating the affected system within the network to minimize lateral movement; 6) Planning and prioritizing an upgrade or patch deployment once the vendor releases a fix; 7) Educating IT and security teams about the vulnerability and potential indicators of compromise. Additionally, organizations should review and enhance database user permissions to follow the principle of least privilege, limiting the damage potential of any successful injection.