CVE-2025-11063 is a medium-severity SQL Injection vulnerability found in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability arises from improper sanitization of the 'd' parameter in the /admin/edit_department.php file, allowing an unauthenticated remote attacker to inject malicious SQL code. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or disruption of service. The vulnerability does not require any user interaction or authentication, increasing its risk profile. Although the CVSS 4.0 score is 6.9 (medium severity), the exploitability is high due to the lack of required privileges and user interaction. The vulnerability affects confidentiality, integrity, and availability to a limited extent (low impact on each), but the scope is limited to the Campcodes LMS 1.0 installation. No public exploit is currently known to be actively used in the wild, but proof-of-concept code is available, which could facilitate exploitation by attackers. The absence of patches or vendor-provided fixes increases the urgency for mitigation. Given the LMS context, compromised systems could expose sensitive educational data, user credentials, or administrative controls, impacting organizational operations and privacy compliance.

For European organizations using Campcodes LMS 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of educational and administrative data. Exploitation could lead to unauthorized disclosure of student records, course materials, and internal administrative information. This could result in reputational damage, regulatory penalties under GDPR due to personal data exposure, and operational disruptions if the LMS is manipulated or taken offline. Educational institutions and training providers relying on this LMS may face interruptions in service delivery, affecting students and staff. Additionally, attackers could leverage this vulnerability as a foothold for further network intrusion or lateral movement within the organization. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional weaknesses. However, the ease of remote exploitation without authentication makes it a notable threat vector that European organizations must address promptly.

Since no official patches or vendor advisories are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /admin/edit_department.php endpoint through network segmentation and firewall rules, limiting it to trusted administrative IP addresses only. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'd' parameter. 3) Conducting thorough input validation and sanitization at the application level if source code access is available, specifically for the 'd' parameter. 4) Monitoring logs for suspicious database query patterns or repeated access attempts to the vulnerable endpoint. 5) Planning and prioritizing an upgrade or migration to a patched or alternative LMS solution as soon as a fix becomes available. 6) Educating administrative users on the risks and encouraging strong credential management to reduce the risk of further compromise. These targeted mitigations go beyond generic advice by focusing on access control, detection, and immediate risk reduction in the absence of a patch.