CVE-2025-12327 identifies a SQL injection vulnerability in the shawon100 RUET OJ platform, a system used for online judging in programming contests or educational settings. The vulnerability resides in the processing of the /description.php file, where the ID parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This flaw can be exploited remotely without authentication or user interaction, leveraging low privileges to manipulate backend database queries. The injection can lead to unauthorized data access, modification, or deletion, impacting confidentiality, integrity, and availability of the system's data. The product follows a rolling release model, which means updates are continuously delivered without fixed versioning, complicating patch management and vulnerability tracking. The vendor was contacted but did not respond, and no official patches or fixes have been released. Although no active exploits are reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation by attackers. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no required privileges, and no user interaction, but limited impact on confidentiality, integrity, and availability. The vulnerability requires immediate attention in environments where RUET OJ is deployed to prevent potential data breaches or service disruptions.

For European organizations, especially educational institutions, competitive programming platforms, or software development training centers using RUET OJ, this vulnerability poses a risk of unauthorized database access and manipulation. Exploitation could lead to leakage of sensitive user data, alteration of contest results, or disruption of service availability, undermining trust and operational continuity. Given the remote and unauthenticated nature of the attack, threat actors could exploit this vulnerability at scale if the platform is publicly accessible. The rolling release model and lack of vendor response complicate timely patching, increasing exposure duration. Organizations may face reputational damage, regulatory compliance issues related to data protection (e.g., GDPR), and potential financial losses due to service downtime or data breaches. The impact is heightened in countries with extensive use of open-source or niche educational software platforms and where competitive programming is prevalent.

Since no official patches or vendor updates are currently available, European organizations should implement immediate compensating controls. These include: 1) Conducting a thorough code review of /description.php and all input handling routines to identify and sanitize all user inputs, especially the ID parameter. 2) Refactoring database queries to use parameterized statements or prepared queries to prevent SQL injection. 3) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the affected endpoint. 4) Restricting access to the RUET OJ platform to trusted networks or VPNs where feasible, reducing exposure to external attackers. 5) Monitoring logs for suspicious query patterns or repeated failed attempts indicative of injection attempts. 6) Planning migration or replacement of the affected platform if vendor support remains absent. 7) Educating developers and administrators on secure coding practices and incident response related to injection attacks. These steps go beyond generic advice by focusing on immediate code-level fixes, network controls, and operational monitoring tailored to the specific vulnerability context.