CVE-2025-13555 identifies a SQL injection vulnerability in Campcodes School File Management System version 1.0, specifically in the Login component's /index.php file. The vulnerability arises from improper sanitization or validation of the 'stud_no' parameter, which is used in SQL queries. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This can lead to unauthorized data disclosure, modification, or deletion. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS v4.0 score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. The vulnerability affects confidentiality, integrity, and availability at a low level, indicating partial but significant impact. No official patches or updates have been linked yet, and no known exploits are currently active in the wild, but the public availability of exploit code increases the urgency for mitigation.

The SQL injection vulnerability in Campcodes School File Management System can have serious consequences for organizations using this software, particularly educational institutions managing sensitive student data. Successful exploitation can lead to unauthorized access to student records, including personal information and academic data, resulting in confidentiality breaches. Attackers may also alter or delete data, impacting data integrity and potentially disrupting school operations. The availability of the system could be affected if attackers execute destructive SQL commands or cause database corruption. Given the remote exploitability without authentication, attackers can launch automated attacks at scale, increasing the risk of widespread compromise. This can lead to reputational damage, regulatory penalties related to data protection laws, and operational downtime.

Organizations should immediately review and restrict access to the affected Campcodes School File Management System, especially the Login component handling the 'stud_no' parameter. Implement input validation and parameterized queries or prepared statements to prevent SQL injection. If possible, apply any vendor-provided patches or updates as soon as they become available. In the absence of official patches, consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the 'stud_no' parameter. Conduct thorough code audits to identify and remediate similar injection points. Monitor logs for unusual database queries or failed login attempts indicative of exploitation attempts. Educate administrators on incident response procedures to quickly isolate and remediate affected systems. Regularly back up databases to enable recovery in case of data corruption or deletion.