CVE-2025-12140 is a critical vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as 'Eval Injection') affecting the Simple SA Wirtualna Uczelnia application. The root cause is an insecure implementation of the 'redirectToUrl' feature, which processes the 'redirectUrlParameter' parameter by interpreting its value as a Java expression. This dynamic evaluation occurs without proper sanitization or validation, allowing an unauthenticated attacker to inject and execute arbitrary Java code on the server. The vulnerability does not require any authentication or user interaction, making it trivially exploitable remotely. The impact includes full compromise of the affected system, enabling attackers to execute arbitrary commands, access sensitive data, modify application behavior, or disrupt service availability. The issue was addressed in version wu#2016.1.5513#0#20251014_113353, which removes the unsafe evaluation mechanism or properly sanitizes input. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects a network attack vector with no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability's nature and severity make it a prime target for attackers. The vendor, Simple SA, is a Polish software company, and Wirtualna Uczelnia is an educational platform widely used in Poland and potentially other European countries.

The vulnerability allows unauthenticated remote attackers to execute arbitrary Java code on affected servers, leading to complete system compromise. For European organizations, especially educational institutions using Wirtualna Uczelnia, this can result in unauthorized data access, theft of personal and academic records, disruption of educational services, and potential lateral movement within internal networks. The breach of confidentiality could expose sensitive student and staff information, while integrity violations could alter academic records or system configurations. Availability impacts could cause denial of service, interrupting critical educational operations. Given the critical CVSS score and ease of exploitation, the threat poses a significant risk to organizational reputation, regulatory compliance (e.g., GDPR), and operational continuity. The lack of authentication or user interaction requirements increases the likelihood of automated exploitation attempts, making timely remediation essential.

1. Immediately upgrade all affected instances of Wirtualna Uczelnia to version wu#2016.1.5513#0#20251014_113353 or later, where the vulnerability is fixed. 2. Conduct a thorough code review to identify and eliminate any other instances of dynamic code evaluation or unsafe input handling. 3. Implement strict input validation and sanitization for all user-controllable parameters, especially those that influence code execution or redirection logic. 4. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious payloads targeting the 'redirectUrlParameter'. 5. Monitor application logs and network traffic for anomalous activity indicative of exploitation attempts. 6. Restrict network access to the application servers using segmentation and firewall rules to limit exposure. 7. Educate development teams on secure coding practices to prevent similar vulnerabilities. 8. Prepare incident response plans to quickly address potential compromises stemming from this vulnerability.