CVE-2025-10600 is a vulnerability identified in SourceCodester Online Exam Form Submission version 1.0. The flaw exists in the /register.php file, specifically related to the handling of the 'img' argument. This vulnerability allows an attacker to perform an unrestricted file upload remotely without any authentication or user interaction. The unrestricted upload means that an attacker can upload arbitrary files, potentially including malicious scripts or executables, to the server hosting the application. Once uploaded, these files could be executed or accessed, leading to further compromise such as remote code execution, data theft, or server takeover. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The vector details show the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to medium, suggesting some limited but meaningful damage could be done if exploited. Although no known exploits are reported in the wild yet, the exploit code has been published, increasing the risk of future attacks. The lack of available patches or mitigations from the vendor at this time further elevates the threat. This vulnerability is particularly concerning for organizations using this specific online exam form submission software, as it could allow attackers to bypass security controls and compromise the system remotely via file upload abuse.

For European organizations, the impact of this vulnerability depends largely on the adoption of the SourceCodester Online Exam Form Submission 1.0 software. Educational institutions, certification bodies, or training providers using this software for exam registrations or form submissions could face significant risks. Exploitation could lead to unauthorized access to sensitive student or candidate data, manipulation of exam records, or disruption of exam processes. Additionally, uploaded malicious files could be used as a foothold for further network intrusion, lateral movement, or data exfiltration. Given the remote and unauthenticated nature of the attack, any exposed instance of this software is at risk. This could undermine trust in online examination systems and cause reputational damage. Moreover, if exploited, it could lead to violations of data protection regulations such as GDPR, resulting in legal and financial penalties. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional factors. However, the ease of exploitation and lack of required privileges make it a notable threat vector for European organizations relying on this software.

Immediate mitigation should focus on restricting file upload capabilities within the /register.php endpoint. Organizations should implement strict server-side validation of uploaded files, including checking file types, sizes, and content signatures to prevent malicious files from being accepted. Employing allowlists for permitted file extensions and scanning uploads with antivirus or malware detection tools is recommended. Additionally, isolating the upload directory with minimal permissions and disabling execution rights on uploaded files can reduce the risk of remote code execution. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block suspicious upload attempts targeting the 'img' parameter. Since no official patch is currently available, organizations should consider temporarily disabling the vulnerable upload functionality if feasible. Monitoring logs for unusual upload activity and implementing intrusion detection systems can help detect exploitation attempts. Finally, organizations should engage with the vendor or community to track patch releases and apply updates promptly once available.