CVE-2025-14565 identifies a SQL injection vulnerability in the kidaze CourseSelectionSystem, specifically within an unknown function in the file /Profilers/SProfile/login1.php. The vulnerability arises from improper sanitization or validation of the Username parameter, which can be manipulated by an unauthenticated remote attacker to inject arbitrary SQL commands. This injection flaw allows attackers to execute unauthorized queries against the backend database, potentially leading to unauthorized data disclosure, modification, or deletion. The vulnerability affects versions up to the commit hash 42cd892b40a18d50bd4ed1905fa89f939173a464. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and can be exploited with low attack complexity (AC:L). The impact on confidentiality, integrity, and availability is limited but non-negligible (VC:L, VI:L, VA:L). Although no exploits have been observed in the wild, a public exploit exists, increasing the likelihood of exploitation attempts. The vulnerability was published on December 12, 2025, and is tracked under CVE-2025-14565 with a CVSS 4.0 score of 6.9, categorized as medium severity. The lack of patches or official fixes at the time of publication necessitates immediate mitigation efforts by affected organizations.

The SQL injection vulnerability in kidaze CourseSelectionSystem can have significant impacts on organizations using this software, particularly educational institutions managing course selections and student data. Successful exploitation can lead to unauthorized access to sensitive information such as student records, login credentials, and course enrollment data, compromising confidentiality. Attackers may also alter or delete data, impacting data integrity and potentially disrupting course registration processes, thus affecting availability. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, increasing risk. The availability of a public exploit further elevates the threat, potentially enabling widespread attacks. Organizations may face reputational damage, regulatory penalties for data breaches, and operational disruptions. The medium severity rating indicates that while the impact is serious, it may not lead to full system compromise or widespread denial of service without additional vulnerabilities.

To mitigate CVE-2025-14565, organizations should implement the following specific measures: 1) Immediately review and sanitize all inputs to the Username parameter in /Profilers/SProfile/login1.php, employing strict input validation and rejecting suspicious characters or patterns. 2) Refactor the vulnerable code to use parameterized queries or prepared statements to prevent SQL injection. 3) Deploy Web Application Firewalls (WAFs) configured to detect and block SQL injection payloads targeting the affected endpoint. 4) Monitor database logs and application logs for unusual query patterns or failed login attempts indicative of injection attempts. 5) Restrict database user privileges to the minimum necessary to limit the impact of potential injection attacks. 6) If patches or updates become available from kidaze, apply them promptly. 7) Conduct security code reviews and penetration testing focused on injection flaws in the CourseSelectionSystem. 8) Educate developers and administrators about secure coding practices and the risks of SQL injection. These targeted actions go beyond generic advice and address the vulnerability's specific context and exploitation vector.