CVE-2025-10113 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Student Information Management System (SIMS). The vulnerability exists in an unspecified function within the file /admin/modules/room/index.php, where manipulation of the 'ID' argument allows an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the backend database, as successful exploitation could allow attackers to read, modify, or delete sensitive student and administrative data stored within the system. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the ease of exploitation combined with limited scope and impact. Although no public exploits have been observed in the wild yet, the vulnerability has been publicly disclosed, increasing the risk of future exploitation. The lack of available patches or mitigations from the vendor at the time of publication further elevates the urgency for organizations to implement protective measures. The vulnerability is particularly critical in educational environments where the Student Information Management System is deployed, as it could lead to unauthorized data disclosure or manipulation affecting students, staff, and institutional operations.

For European organizations, especially educational institutions such as universities, colleges, and schools using the itsourcecode Student Information Management System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive personal data of students and staff, including academic records, personal identifiers, and potentially financial information. This could result in violations of the EU General Data Protection Regulation (GDPR), leading to legal penalties and reputational damage. Furthermore, data integrity attacks could disrupt academic operations, such as enrollment, grading, and scheduling, causing operational downtime and loss of trust. The remote and unauthenticated nature of the exploit increases the attack surface, potentially allowing attackers from outside the organization or even nation-states to compromise systems without insider access. Given the critical role of student information systems in educational administration, the impact extends beyond data loss to include disruption of educational services and potential cascading effects on connected systems.

Since no official patches or updates are currently available from the vendor, European organizations should implement immediate compensating controls. These include: 1) Deploying Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts targeting the vulnerable endpoint (/admin/modules/room/index.php), focusing on anomalous input patterns in the 'ID' parameter. 2) Conducting thorough input validation and sanitization on all user-supplied data, especially parameters passed to SQL queries, to prevent injection. 3) Restricting network access to the administrative module by limiting IP addresses that can reach the /admin path, ideally allowing only trusted internal networks or VPN connections. 4) Monitoring logs for suspicious activity related to SQL errors or unusual query patterns to enable early detection of exploitation attempts. 5) Preparing for rapid patch deployment once the vendor releases an official fix by maintaining an inventory of affected systems and prioritizing updates. 6) Educating IT and security teams about the vulnerability to ensure vigilance and prompt response. 7) Considering database-level protections such as least privilege for the database user account used by the application to limit the impact of any successful injection.