CVE-2025-10809 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability resides in an unspecified function within the /admin/department.php file, specifically involving the manipulation of the 'd' argument. This flaw allows an unauthenticated remote attacker to inject malicious SQL code into the backend database queries executed by the application. The injection occurs without requiring any privileges or user interaction, indicating that the attack surface is exposed directly over the network. Exploiting this vulnerability could enable an attacker to read, modify, or delete sensitive data stored in the LMS database, potentially including user credentials, course content, or administrative information. The CVSS v4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low complexity, and no required privileges or user interaction, but with limited impact on confidentiality, integrity, and availability (all rated low). Although no public exploits are currently known to be in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. The lack of available patches or mitigations from the vendor at this time further exacerbates the risk for organizations using this LMS version. Given the critical role of LMS platforms in educational and training environments, exploitation could disrupt operations and compromise sensitive educational data.

For European organizations, particularly educational institutions, training providers, and corporate learning departments using Campcodes LMS 1.0, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to student and staff personal data, intellectual property such as course materials, and administrative credentials, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, leading to misinformation or loss of trust in the learning platform. Availability impacts are limited but could occur if attackers manipulate or delete critical data, causing service disruptions. The remote, unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially in environments where the LMS is exposed to the internet without adequate network segmentation or firewall protections. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise or widespread disruption without additional attack steps. However, the educational sector's strategic importance in Europe and the sensitivity of the data involved elevate the potential consequences of an attack.

European organizations using Campcodes LMS 1.0 should immediately conduct a thorough security review of their LMS deployment. Specific mitigations include: 1) Restrict network access to the /admin/department.php endpoint by implementing firewall rules or VPN access to limit exposure to trusted administrators only. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'd' parameter. 3) Conduct input validation and sanitization on all user-supplied parameters, especially the 'd' argument, to prevent injection attacks. 4) Monitor application logs for unusual database query patterns or errors indicative of injection attempts. 5) Engage with the vendor to obtain patches or updates; if unavailable, consider upgrading to a newer, secure version or migrating to an alternative LMS platform. 6) Implement database-level protections such as least privilege principles for the LMS database user to limit the impact of any injection. 7) Regularly back up LMS data and test restoration procedures to mitigate data loss risks. 8) Educate administrative users on security best practices and the risks of exposing administrative interfaces publicly.