CVE-2025-10597 is a SQL Injection vulnerability identified in the kidaze CourseSelectionSystem, specifically affecting the code within the /Profilers/PriProfile/COUNT2.php file. The vulnerability arises from improper sanitization or validation of the 'cname' parameter, which can be manipulated by an attacker to inject malicious SQL commands. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database without requiring any user interaction or privileges. The product follows a rolling release model, making it difficult to pinpoint exact affected versions beyond the identified commit hash (42cd892b40a18d50bd4ed1905fa89f939173a464). The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially leading to data breaches or unauthorized system manipulation. However, no known exploits are currently reported in the wild, indicating either recent discovery or limited public exploitation. The vulnerability's presence in a course selection system suggests that educational institutions or organizations using this software could be targeted, with risks including exposure of student data, academic records, or administrative information.

For European organizations, particularly educational institutions such as universities and colleges that utilize the kidaze CourseSelectionSystem, this vulnerability poses a significant risk to the confidentiality and integrity of student and administrative data. Successful exploitation could lead to unauthorized disclosure of personal information, manipulation of course enrollment data, or disruption of academic processes. Given the sensitivity of educational records under regulations like GDPR, any data breach could result in regulatory penalties and reputational damage. Additionally, the ability to execute arbitrary SQL commands could be leveraged to pivot attacks within the network, potentially compromising other connected systems. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the overall impact is somewhat limited, possibly due to the scope of accessible data or existing compensating controls. Nonetheless, the threat is non-trivial and warrants prompt attention to prevent data breaches and maintain operational integrity.

To mitigate this vulnerability, organizations should immediately audit and sanitize all inputs, especially the 'cname' parameter in the /Profilers/PriProfile/COUNT2.php file, to ensure proper validation and escaping of SQL commands. Implementing parameterized queries or prepared statements is critical to prevent SQL injection attacks. Since the product uses a rolling release model, organizations should monitor vendor updates closely and apply patches or updates as soon as they become available. In the absence of official patches, deploying Web Application Firewalls (WAFs) with rules targeting SQL injection patterns can provide a temporary protective layer. Regular security assessments and code reviews focusing on input validation should be conducted to identify and remediate similar vulnerabilities. Additionally, restricting database user permissions to the minimum necessary can limit the potential damage from exploitation. Logging and monitoring database queries for unusual activity can help detect exploitation attempts early. Finally, educating developers and administrators about secure coding practices and the risks of SQL injection will help prevent future occurrences.