CVE-2025-25403 is a critical SQL Injection vulnerability identified in Slims (Senayan Library Management Systems) version 9 Bulian V9.6.1, specifically located in the admin/modules/master_file/coll_type.php component. SQL Injection (CWE-89) vulnerabilities occur when untrusted input is improperly sanitized and directly included in SQL queries, allowing attackers to manipulate the database queries executed by the application. This vulnerability has a CVSS 3.1 base score of 9.8, indicating a critical severity level. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reveals that the attack can be performed remotely over the network without any privileges or user interaction, and it impacts the confidentiality, integrity, and availability of the affected system to a high degree. Exploiting this vulnerability could allow an attacker to extract sensitive data, modify or delete records, or even execute administrative commands on the backend database, potentially leading to full system compromise. Although no known exploits are currently reported in the wild, the high severity and ease of exploitation make this a significant threat. The lack of vendor or product-specific details beyond the Slims version and affected file path suggests limited public information, but the vulnerability’s presence in a library management system used by educational and public institutions raises concerns about data privacy and operational disruption.

For European organizations, particularly libraries, educational institutions, and public sector entities using Slims 9 Bulian V9.6.1, this vulnerability poses a severe risk. Exploitation could lead to unauthorized access to patron records, including personally identifiable information (PII), membership data, and borrowing histories, violating GDPR and other data protection regulations. Integrity of library catalog data could be compromised, disrupting services and trust. Availability impacts could result in denial of service or system outages, affecting access to critical educational resources. The critical nature of the vulnerability means attackers could fully compromise backend databases, potentially pivoting to other internal systems. Given the reliance on library management systems for public knowledge access, this vulnerability could also have reputational and operational consequences for affected organizations.

Immediate mitigation should focus on applying any available patches or updates from the Slims project once released. In the absence of official patches, organizations should implement strict input validation and parameterized queries or prepared statements in the affected PHP scripts to prevent injection. Web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting the coll_type.php endpoint. Restricting administrative interface access via network segmentation, VPNs, or IP whitelisting can reduce exposure. Regular database backups and monitoring for unusual query patterns or access logs are recommended to detect exploitation attempts early. Organizations should also conduct code audits and penetration testing focused on SQL injection vectors in their Slims deployment. Finally, educating administrators about the risks and signs of SQL injection attacks will improve incident response readiness.