CVE-2025-14566 identifies a SQL injection vulnerability in the kidaze CourseSelectionSystem, a software product used for managing course selections. The vulnerability exists in an unspecified function within the /Profilers/SProfile/reg.php file, where the USN parameter is not properly sanitized before being incorporated into SQL queries. This lack of input validation allows an unauthenticated remote attacker to inject malicious SQL code by manipulating the USN argument. The attack vector is network accessible without requiring user interaction or privileges, making exploitation straightforward. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the vulnerability's potential to partially compromise confidentiality, integrity, and availability of the backend database. The scope is limited to the vulnerable component, and no privilege or user interaction is needed. Although no active exploits have been observed in the wild, public exploit code has been released, increasing the likelihood of attacks. The vulnerability affects version 42cd892b40a18d50bd4ed1905fa89f939173a464 and earlier versions of the software. The flaw could allow attackers to extract sensitive student data, modify course selections, or disrupt system availability, impacting educational institutions relying on this system. The lack of official patches necessitates immediate mitigation through secure coding practices and monitoring.

For European organizations, particularly educational institutions using the kidaze CourseSelectionSystem, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of sensitive student and faculty data, including personal identifiers and academic records, violating GDPR and other data protection regulations. Integrity of course selection data could be compromised, leading to administrative errors and loss of trust. Availability impacts could disrupt academic operations during critical enrollment periods. The public availability of exploit code increases the risk of opportunistic attacks, potentially targeting institutions with weaker security postures. Organizations may face reputational damage, regulatory fines, and operational disruptions. The medium severity score reflects a moderate but tangible threat level, especially given the remote, unauthenticated attack vector. The impact is amplified in countries with widespread adoption of this system or where educational data is a high-value target for cybercriminals or state-sponsored actors.

1. Immediate implementation of input validation and sanitization for the USN parameter and all user inputs within the affected application components. 2. Refactor database queries to use parameterized statements or prepared queries to eliminate SQL injection risks. 3. Conduct a thorough code audit of the entire CourseSelectionSystem to identify and remediate similar vulnerabilities. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the reg.php endpoint. 5. Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. 6. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. 7. Engage with the vendor or development team to obtain or develop official patches or updates addressing this vulnerability. 8. Educate system administrators and developers on secure coding practices and the importance of timely patching. 9. Implement network segmentation to isolate the CourseSelectionSystem from critical infrastructure where feasible. 10. Prepare incident response plans specific to SQL injection attacks to enable rapid containment and remediation.