CVE-2025-10112 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Student Information Management System (SIMS). The vulnerability exists in an unspecified function within the file /admin/modules/department/index.php, where the manipulation of the 'ID' parameter allows an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring any authentication or user interaction, making it highly accessible to attackers. The vulnerability enables an adversary to execute arbitrary SQL commands against the backend database, potentially leading to unauthorized data access, data modification, or even deletion. Given that the affected system is a student information management platform, the compromised data could include sensitive personal information such as student records, grades, and administrative details. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. However, the exploit code has been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. No official patches or fixes have been published yet, which leaves organizations using this software exposed until mitigations or updates are applied.

For European organizations, especially educational institutions and administrative bodies using the itsourcecode Student Information Management System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive student and staff data, violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. Integrity of student records could be compromised, affecting academic evaluations and administrative decisions. Availability impacts, while limited, could disrupt access to critical educational services if the database is manipulated or corrupted. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, particularly in environments where the system is exposed to the internet or insufficiently segmented. The public availability of exploit code further elevates the threat, making rapid response and mitigation essential to prevent data breaches and operational disruptions.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the Student Information Management System by implementing firewall rules and network segmentation to limit exposure to trusted internal networks only; 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter in the affected endpoint; 3) Conducting thorough input validation and sanitization on all user-supplied parameters, especially the 'ID' argument, to prevent injection attacks; 4) Monitoring logs for unusual database queries or error messages indicative of exploitation attempts; 5) Regularly backing up databases and verifying backup integrity to enable recovery in case of data corruption; 6) Planning and prioritizing an upgrade or migration to a patched or alternative system version once available; 7) Educating IT staff and administrators about the vulnerability and signs of exploitation to enhance detection and response capabilities.