CVE-2025-66947 is a critical SQL injection vulnerability identified in krishanmuraiji SMS version 1.0, a student management system. The vulnerability exists in the /studentms/admin/edit-class-detail.php script, specifically through the editid GET parameter, which is improperly sanitized. An attacker can exploit this flaw by injecting SQL payloads that leverage the SQL SLEEP() function to create controlled delays, enabling time-based blind SQL injection attacks. This technique allows attackers to infer the contents of the backend database even when direct output is not available, effectively bypassing error-based or union-based SQL injection mitigations. Since the vulnerable endpoint is part of an administrative module, successful exploitation can lead to full compromise of the database, including sensitive student records, administrative credentials, and other confidential information. The vulnerability does not require prior authentication, increasing its risk profile. No official patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The lack of a CVSS score necessitates an independent severity assessment. Given the potential impact on confidentiality, integrity, and availability of critical educational data, combined with the ease of exploitation via unauthenticated HTTP requests, this vulnerability represents a high-severity threat. Organizations using krishanmuraiji SMS should urgently review their systems and apply mitigations to prevent exploitation.

For European organizations, particularly educational institutions using krishanmuraiji SMS or similar student management systems, this vulnerability poses a severe risk. Exploitation could lead to unauthorized access to sensitive student and staff data, including personal identification information, academic records, and administrative credentials. Such a breach could result in data privacy violations under GDPR, leading to legal penalties and reputational damage. Additionally, attackers could manipulate or delete critical data, disrupting educational operations and causing availability issues. The administrative nature of the affected module increases the likelihood of high-value data exposure. Given the lack of patches and the ease of exploitation without authentication, European entities face an elevated risk of targeted attacks or opportunistic exploitation. The impact extends beyond data theft to potential compliance violations and operational disruptions, which could affect funding and stakeholder trust.

To mitigate CVE-2025-66947, organizations should immediately implement strict input validation and sanitization on the editid GET parameter and all other user inputs in the application. Employ parameterized queries or prepared statements to prevent SQL injection. Restrict access to the /studentms/admin/edit-class-detail.php endpoint using network-level controls such as IP whitelisting or VPN access to limit exposure to trusted users only. Monitor web server logs for suspicious requests containing SQL injection payloads or unusual delays indicative of time-based attacks. If possible, deploy a Web Application Firewall (WAF) with rules tailored to detect and block SQL injection attempts targeting this endpoint. Conduct a thorough security audit of the entire krishanmuraiji SMS application to identify and remediate other potential injection points. Engage with the software vendor or community to obtain or develop patches and update the software accordingly. Finally, ensure regular backups of the database are maintained and tested to enable recovery in case of compromise.