CVE-2025-12328 identifies a SQL injection vulnerability in the shawon100 RUET OJ platform, a system used for online programming contests and problem management. The vulnerability resides in an unspecified function within the /contestproblem.php file, where the 'Name' parameter is improperly sanitized, allowing attackers to inject malicious SQL code. This injection can be performed remotely without authentication or user interaction, increasing the attack surface. The rolling release development model of RUET OJ means that there are no fixed version numbers for affected or patched releases, complicating vulnerability management. The vendor was notified but has not responded or issued a patch, and although exploits exist publicly, there are no confirmed reports of exploitation in the wild. The CVSS v4.0 score of 5.3 (medium severity) reflects the vulnerability’s moderate impact and ease of exploitation without privileges or user interaction. Successful exploitation could allow attackers to read, modify, or delete database contents, potentially compromising sensitive contest data, user information, or system integrity. The lack of segmentation or scope change in the CVSS vector suggests the impact is limited to the affected component. Given the nature of the platform, the vulnerability poses risks to educational institutions and organizations relying on RUET OJ for contest management or training.

For European organizations, particularly universities, coding bootcamps, and competitive programming platforms using RUET OJ, this vulnerability could lead to unauthorized access to sensitive contest problems, user credentials, or scoring data. The integrity of contest results could be compromised, undermining trust in the platform. Confidentiality breaches could expose participant information or proprietary problem sets. Availability might be affected if attackers execute destructive SQL commands or cause database corruption. Since the exploit requires no authentication or user interaction, attackers can launch automated attacks at scale, increasing risk. The absence of vendor patches elevates the threat level, as organizations must rely on their own mitigations. This vulnerability could also be leveraged as a foothold for further attacks within academic networks, potentially impacting broader IT infrastructure.

European organizations should immediately implement strict input validation and sanitization on all parameters, especially the 'Name' argument in /contestproblem.php, to prevent SQL injection. Employ parameterized queries or prepared statements if source code access is available. Deploy Web Application Firewalls (WAFs) configured to detect and block SQL injection patterns targeting the RUET OJ platform. Monitor database logs for unusual queries or error messages indicative of injection attempts. Isolate the RUET OJ environment from critical internal networks to limit lateral movement in case of compromise. Regularly back up contest and user data to enable recovery from potential data corruption. Engage with the community or vendor forums to track any unofficial patches or updates. Consider alternative contest management platforms if timely patches are not forthcoming. Finally, conduct security audits and penetration tests focused on injection vulnerabilities within the platform.