CVE-2025-10817 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability resides in the /admin/admin_user.php file, specifically through manipulation of the 'firstname' parameter. An attacker can remotely exploit this flaw without requiring authentication or user interaction, by injecting malicious SQL code into the firstname argument. This can lead to unauthorized access or modification of the LMS database, potentially exposing sensitive user data or allowing further compromise of the system. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is low to limited but still significant given the nature of LMS data. No official patches or mitigations have been published yet, and while no known exploits are reported in the wild, the exploit code is publicly available, increasing the risk of exploitation.

For European organizations using Campcodes LMS 1.0, this vulnerability poses a risk of data breaches involving student and staff personal information, academic records, and potentially administrative credentials. Exploitation could disrupt educational services, leading to reputational damage and regulatory consequences under GDPR due to unauthorized data exposure. The ability to execute SQL injection remotely without authentication increases the attack surface, especially for institutions with externally accessible LMS portals. Compromise could also facilitate lateral movement within the network or persistent access. Given the critical role of LMS platforms in education and training, operational disruption could affect learning continuity and institutional trust.

Organizations should immediately audit their Campcodes LMS installations to identify version 1.0 deployments. Until an official patch is released, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'firstname' parameter in /admin/admin_user.php. Restrict administrative interface access to trusted IP addresses or VPNs to reduce exposure. Conduct thorough input validation and sanitization on all user inputs, especially those interacting with the database. Monitor logs for suspicious activity indicative of SQL injection attempts. Engage with the vendor for timely patch updates and consider upgrading to newer, secure versions if available. Additionally, perform regular security assessments and penetration tests focusing on injection flaws in LMS environments.