CVE-2025-13564 identifies a denial of service vulnerability in the SourceCodester Pre-School Management System version 1.0, specifically in the removefile function located in app/controllers/FilehelperController.php. The vulnerability arises from improper handling of the filepath argument, which an attacker can manipulate remotely to cause the application to crash or become unresponsive, effectively denying service to legitimate users. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no privileges (PR:L but effectively low since no authentication is needed), and no user interaction (UI:N). The vulnerability impacts the availability of the system, with limited impact on confidentiality and integrity. The CVSS 4.0 vector indicates partial impact on integrity and availability, but no impact on confidentiality or scope. Although no exploits are currently observed in the wild, the public release of an exploit increases the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche management system primarily used in educational and childcare environments. The lack of patches at the time of publication means organizations must rely on mitigations to reduce exposure until a fix is available.

For European organizations, the primary impact is service disruption of preschool management operations, which could affect administrative tasks, scheduling, and record-keeping. This can lead to operational delays and potential reputational damage, especially in institutions relying heavily on this software for daily activities. While the vulnerability does not directly compromise sensitive data confidentiality or integrity, denial of service could indirectly affect data availability and operational continuity. Given the remote exploitability and public availability of an exploit, attackers could target multiple institutions simultaneously, amplifying the impact. The medium severity suggests that while the threat is significant, it is not critical, but organizations should prioritize mitigation to avoid operational interruptions. The impact is more pronounced in organizations without robust network segmentation or application-layer protections.

Organizations should immediately restrict external access to the SourceCodester Pre-School Management System, especially the endpoint handling file removal requests. Implement strict input validation and sanitization on the filepath parameter to prevent malicious manipulation. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. Monitor logs for unusual activity related to file removal operations. Network segmentation should isolate the management system from public-facing networks. Until an official patch is released, consider disabling or limiting the removefile functionality if feasible. Regularly check vendor communications for patches or updates addressing this vulnerability. Conduct penetration testing to verify the effectiveness of mitigations and ensure no other related vulnerabilities exist.