CVE-2025-8249 is a critical SQL Injection vulnerability identified in version 1.0 of the 'Exam Form Submission' product developed by code-projects. The vulnerability resides in the /admin/update_s3.php file, specifically in the processing of the 'credits' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the backend database queries executed by the application. This type of injection can lead to unauthorized data access, data modification, or even complete compromise of the database server. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. Although the CVSS 4.0 base score is 6.9 (medium severity), the vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), which typically elevates the risk. The impact on confidentiality, integrity, and availability is rated as low individually, but combined they could allow attackers to extract sensitive information or corrupt data. No patches or mitigations have been publicly disclosed yet, and while no known exploits in the wild have been reported, the public disclosure of the exploit code increases the risk of exploitation.

For European organizations using the 'Exam Form Submission' 1.0 product, this vulnerability poses a significant risk to the confidentiality and integrity of examination data and related records. Educational institutions, certification bodies, and training providers relying on this software could face data breaches exposing personal information of students or candidates, manipulation of exam results, or disruption of examination processes. The ability to remotely exploit the vulnerability without authentication increases the attack surface, potentially allowing attackers to compromise systems from outside the network perimeter. This could lead to reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. Additionally, if the backend database is shared or integrated with other systems, the impact could cascade, affecting broader organizational infrastructure.

Given the absence of official patches, European organizations should immediately implement compensating controls. These include: 1) Restricting network access to the /admin/update_s3.php endpoint via firewall rules or web application firewalls (WAF) to allow only trusted IP addresses; 2) Employing input validation and sanitization at the application or proxy level to block malicious SQL payloads targeting the 'credits' parameter; 3) Monitoring logs for unusual or suspicious requests to the vulnerable endpoint; 4) Conducting code reviews and applying manual fixes to sanitize inputs if source code access is available; 5) Segregating the database with strict access controls and least privilege principles to limit damage if exploited; 6) Planning for an urgent upgrade or patch deployment once the vendor releases a fix; and 7) Educating IT staff about the vulnerability and signs of exploitation to enable rapid incident response.