CVE-2025-12328 identifies a SQL injection vulnerability in the shawon100 RUET OJ platform, a system used for online programming contests and problem management. The vulnerability resides in an unspecified function within the /contestproblem.php file, where the 'Name' parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This injection can be exploited remotely without requiring authentication or user interaction, increasing the attack surface. The platform operates on a rolling release basis, meaning updates are continuously delivered without fixed version numbers, complicating patch management and vulnerability tracking. Despite early vendor contact, no response or patch has been issued. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploits have been observed in the wild, a public exploit is available, raising the risk of exploitation. The vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt service availability, depending on the database privileges and application logic. The lack of vendor response and patch availability heightens the urgency for organizations to implement compensating controls.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive data such as user credentials, contest problems, or participant information, potentially violating GDPR and other data protection regulations. Integrity of contest data could be compromised, undermining the fairness and trustworthiness of programming competitions or academic assessments. Availability impacts could disrupt contest operations, causing reputational damage and operational delays. Given the remote and unauthenticated nature of the exploit, attackers could target publicly accessible RUET OJ instances without prior access. Organizations relying on RUET OJ for educational or competitive programming purposes may face increased risk of data breaches or service interruptions. The absence of vendor patches necessitates reliance on internal security measures, increasing operational overhead. Additionally, public exploit availability raises the likelihood of opportunistic attacks, especially in environments with limited security monitoring.

1. Implement strict input validation and parameterized queries or prepared statements in the application code to prevent SQL injection. 2. Deploy Web Application Firewalls (WAFs) configured to detect and block SQL injection patterns targeting the 'Name' parameter in /contestproblem.php. 3. Conduct thorough code audits and penetration testing focused on database interaction points within RUET OJ. 4. Monitor database logs and application logs for unusual queries or error messages indicative of injection attempts. 5. Restrict database user privileges to the minimum necessary, limiting the potential damage from successful injection. 6. Isolate RUET OJ instances behind VPNs or access controls where feasible to reduce exposure. 7. Maintain regular backups of contest data to enable recovery in case of data tampering or loss. 8. Engage with the vendor community or open-source maintainers to track any forthcoming patches or updates. 9. Educate administrators and developers on secure coding practices and the importance of timely vulnerability remediation. 10. Consider alternative contest management platforms with active security support if RUET OJ cannot be adequately secured.