CVE-2025-10673 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Student Information Management System (SIMS). The vulnerability resides in an unspecified function within the file /admin/modules/class/index.php, where the manipulation of the 'classId' parameter allows an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, as successful exploitation could lead to unauthorized data access, data modification, or deletion. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and the potential for partial impact on data confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The lack of available patches or mitigations from the vendor further elevates the risk for organizations using this software. The Student Information Management System is typically used by educational institutions to manage sensitive student data, including personal information, academic records, and administrative details, making the impact of a breach significant in terms of privacy and regulatory compliance.

For European organizations, particularly educational institutions using the itsourcecode SIMS version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of student data. Exploitation could lead to unauthorized disclosure of personal and academic information, violating GDPR and other data protection regulations, potentially resulting in legal penalties and reputational damage. Data integrity could be compromised, affecting academic records and administrative processes. Availability impacts could disrupt school operations if the database is corrupted or deleted. The remote, unauthenticated nature of the exploit increases the attack surface, especially for institutions with internet-facing management interfaces. Given the sensitivity of educational data and the strict regulatory environment in Europe, the vulnerability could have severe operational and compliance consequences.

1. Immediate mitigation should include restricting external access to the /admin/modules/class/index.php endpoint by implementing network-level controls such as IP whitelisting or VPN access for administrative interfaces. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'classId' parameter. 3. Conduct a thorough code review and implement parameterized queries or prepared statements to eliminate SQL injection vectors in the affected code. 4. If vendor patches are unavailable, consider isolating the affected system within a segmented network zone with strict access controls. 5. Regularly monitor logs for suspicious database queries or anomalies related to the 'classId' parameter. 6. Educate IT staff on the vulnerability and ensure incident response plans include procedures for SQL injection attacks. 7. Plan for an upgrade or migration to a patched or alternative Student Information Management System that follows secure coding practices.