CVE-2025-14668 identifies a SQL injection vulnerability in campcodes Advanced Online Examination System version 1.0, located in the /query/loginExe.php script. The vulnerability arises from insufficient sanitization of the Username parameter, allowing an attacker to inject arbitrary SQL commands remotely without requiring authentication or user interaction. This flaw enables attackers to manipulate backend database queries, potentially extracting sensitive data, modifying records, or disrupting database operations. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the attack vector is network-based with low complexity and no privileges or user interaction needed, but with limited impact on confidentiality, integrity, and availability. The exploit is publicly available, increasing the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, which is used in online examination environments where data integrity and confidentiality are critical. No patches have been officially released yet, and no known exploits are active in the wild, but the public disclosure necessitates immediate attention.

For European organizations, especially educational institutions and certification bodies relying on campcodes Advanced Online Examination System 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to examination data, including candidate credentials and exam results, undermining the integrity of assessments. Attackers could alter or delete exam data, causing operational disruptions and reputational damage. Confidential student information could be exposed, violating GDPR and other data protection regulations, potentially resulting in legal and financial penalties. The remote and unauthenticated nature of the attack increases the threat surface, making it easier for attackers to target multiple organizations simultaneously. The medium severity rating suggests moderate but tangible risks, particularly where the system is critical to academic or certification processes. The lack of current active exploits reduces immediate risk but does not eliminate it given the public availability of exploit code.

Organizations should immediately audit their use of campcodes Advanced Online Examination System version 1.0 and plan for an upgrade or patch once available. In the absence of an official patch, implement strict input validation and sanitization on the Username parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. Employ parameterized queries or prepared statements in the application code if source access is possible. Restrict network access to the examination system to trusted IP ranges and monitor logs for suspicious login attempts or unusual query patterns. Conduct regular security assessments and penetration testing focused on injection vulnerabilities. Educate administrators on the risks and signs of exploitation. Additionally, implement database-level access controls and encryption to limit data exposure in case of compromise. Maintain up-to-date backups of examination data to enable recovery from potential data tampering or deletion.