CVE-2025-11064 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The flaw exists in the /admin/teachers.php file, specifically through the manipulation of the 'department' parameter. This parameter is vulnerable to injection of malicious SQL code, allowing an attacker to interfere with the queries executed by the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), meaning an attacker could potentially read, modify, or disrupt data but with some constraints. The scope is unchanged (S:N), and no security controls are bypassed (SA:N). Although no public exploit is currently known to be actively used in the wild, the exploit code has been publicly released, increasing the likelihood of exploitation attempts. The vulnerability affects only version 1.0 of the Campcodes LMS, which is a specialized platform used for managing online learning environments, particularly in educational institutions. The lack of available patches at the time of publication further elevates the risk for organizations using this software. Given the nature of LMS platforms, exploitation could lead to unauthorized access to sensitive educational data, manipulation of teacher or student records, and potential disruption of educational services.

For European organizations, especially educational institutions and training providers using Campcodes LMS version 1.0, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized disclosure of personal data of students and staff, violating GDPR regulations and resulting in legal and financial penalties. Integrity of educational records could be compromised, affecting grading, attendance, and certification processes. Availability impacts could disrupt online learning activities, particularly critical in contexts relying heavily on remote education. The remote, unauthenticated nature of the exploit increases the risk of widespread attacks, especially in countries with high adoption of Campcodes LMS or similar platforms. The public availability of exploit code means attackers could automate attacks, targeting vulnerable systems en masse. This could also lead to reputational damage for affected institutions and undermine trust in digital education platforms across Europe.

Organizations should immediately assess their use of Campcodes LMS version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'department' parameter in /admin/teachers.php. Employ input validation and parameterized queries or prepared statements in the application code to prevent injection. Restrict access to the /admin directory to trusted IP addresses or via VPN to reduce exposure. Conduct thorough logging and monitoring for suspicious database query patterns or unusual access attempts. Educate administrators about the vulnerability and the importance of applying mitigations promptly. Regularly back up LMS data to enable recovery in case of data corruption or loss. Coordinate with the vendor for timely patch releases and security advisories.