CVE-2025-7191 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Student Enrollment System, specifically within the /login.php file. The vulnerability arises due to improper sanitization or validation of the 'Username' parameter, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an adversary to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The CVSS 4.0 vector indicates that the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has low impact on confidentiality, integrity, and availability individually but combined can lead to significant risk. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The Student Enrollment System is typically used by educational institutions to manage student data, making the confidentiality and integrity of this information critical. The lack of available patches or mitigations from the vendor further elevates the risk for organizations relying on this software.

For European organizations, particularly educational institutions using the affected Student Enrollment System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive student data, including personal identification information, enrollment records, and possibly financial information. This breach could result in violations of the EU General Data Protection Regulation (GDPR), leading to severe legal and financial penalties. Furthermore, manipulation of enrollment data could disrupt academic operations, affecting the integrity of student records and institutional reputation. The remote and unauthenticated nature of the exploit increases the attack surface, making it easier for threat actors to target multiple institutions simultaneously. Given the critical nature of educational data and the increasing reliance on digital enrollment systems, the impact extends beyond data loss to potential operational disruption and loss of stakeholder trust.

1. Immediate implementation of input validation and parameterized queries or prepared statements in the /login.php file to prevent SQL injection attacks. 2. Conduct a thorough code review of the entire Student Enrollment System to identify and remediate any other injection points or security weaknesses. 3. If vendor patches become available, prioritize their deployment across all affected systems. 4. Employ Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts targeting the login endpoint. 5. Monitor logs for unusual login attempts or database errors indicative of injection attempts. 6. Restrict database user permissions to the minimum necessary to limit the impact of a potential injection attack. 7. Consider migrating to a more secure and actively maintained enrollment system if remediation is not feasible. 8. Educate IT staff and administrators on the risks of SQL injection and the importance of secure coding practices.