CVE-2025-8371 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Exam Form Submission software. The vulnerability resides in the /admin/update_s5.php file, specifically in the handling of the 'credits' argument. An attacker can remotely manipulate this parameter to inject malicious SQL code due to insufficient input validation or sanitization. This flaw allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability is exploitable over the network without requiring any authentication or user interaction, increasing the risk of automated exploitation. Although the CVSS 4.0 base score is 6.9 (medium severity), the nature of SQL injection vulnerabilities often implies a significant risk to confidentiality, integrity, and availability of the affected system. The vulnerability affects only version 1.0 of the Exam Form Submission product, and no official patches or fixes have been published yet. While no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the likelihood of future attacks. The vulnerability does not require privileges or user interaction, and the attack vector is network-based, making it accessible to remote attackers. The impact scope is limited to the affected software installations but can be severe depending on the database contents and the role of the application in the organization.

For European organizations using code-projects Exam Form Submission 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of examination data and potentially other sensitive information stored in the backend database. Exploitation could lead to unauthorized disclosure of student records, exam results, or administrative data, undermining trust and compliance with data protection regulations such as GDPR. Additionally, attackers could alter or delete critical data, disrupting examination processes and causing operational downtime. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in educational institutions or certification bodies relying on this software. The lack of available patches means organizations must rely on mitigation strategies to reduce exposure. The potential reputational damage and regulatory penalties for data breaches in Europe further amplify the impact. Given the critical role of exam management systems, exploitation could also affect academic integrity and certification validity.

European organizations should immediately audit their environments to identify any deployments of code-projects Exam Form Submission version 1.0. In the absence of official patches, the following specific mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'credits' parameter in /admin/update_s5.php. 2) Restrict network access to the administrative interface by IP whitelisting or VPN-only access to reduce exposure to remote attackers. 3) Employ input validation and parameterized queries at the application level if source code access is available, to sanitize the 'credits' parameter and prevent injection. 4) Monitor database logs and application logs for unusual queries or errors indicative of injection attempts. 5) Conduct penetration testing focused on SQL injection vectors to verify the effectiveness of mitigations. 6) Prepare an incident response plan for potential data breaches involving this vulnerability. 7) Engage with the vendor or community for updates or patches and plan for timely application once available. These targeted actions go beyond generic advice by focusing on the specific vulnerable parameter and attack vector.