CVE-2025-9150 is a SQL Injection vulnerability identified in the Surbowl dormitory-management-php application, specifically in the /admin/violation_add.php script when processing the 'id' parameter. The vulnerability arises from improper sanitization or validation of the 'id' argument, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. This can lead to unauthorized access, data leakage, or manipulation of the backend database. The affected version is identified by a specific commit hash (9f1d9d1f528cabffc66fda3652c56ff327fda317), and the product follows a rolling release model, complicating version tracking. Importantly, the vulnerability affects only unsupported versions of the product, meaning no official patches or updates are available from the maintainer. The CVSS 4.0 score is 6.9 (medium severity), reflecting the network attack vector, no required privileges or user interaction, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, public exploit code exists, increasing the risk of exploitation.

For European organizations using Surbowl dormitory-management-php, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized database access, exposing sensitive personal data of dormitory residents or staff, potentially violating GDPR and other data protection regulations. Data integrity could be compromised, affecting operational reliability and trustworthiness of the management system. Since the product is no longer supported, organizations cannot rely on vendor patches, increasing exposure duration. The remote, unauthenticated nature of the attack vector means attackers can exploit the vulnerability over the internet without credentials, raising the risk of automated or targeted attacks. This could lead to reputational damage, regulatory fines, and operational disruptions in educational or residential institutions using this software.

Given the lack of official patches, European organizations should prioritize immediate risk reduction by: 1) Isolating or restricting access to the vulnerable /admin/violation_add.php endpoint using network-level controls such as firewalls or VPNs to limit exposure to trusted administrators only; 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'id' parameter; 3) Conducting code reviews and applying manual input validation and parameterized queries or prepared statements in the affected code if source code access is available; 4) Considering migration to supported alternatives or newer, actively maintained dormitory management solutions; 5) Monitoring logs for suspicious activity related to SQL injection attempts; 6) Educating administrators on the risk and ensuring strong authentication and access controls around the management interface to reduce attack surface.