CVE-2025-9662 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Grading System, specifically within an unknown function in the /login.php file of the Admin Panel component. The vulnerability allows an attacker to manipulate SQL queries by injecting malicious input into the login process, potentially bypassing authentication or extracting sensitive data from the backend database. This attack can be executed remotely without requiring any authentication or user interaction, making it accessible to unauthenticated threat actors over the network. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits have been reported in the wild yet. The CVSS v4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (all rated low). The vulnerability does not require special conditions such as user interaction or privileges, and it affects a specific version (1.0) of the Simple Grading System product. Since the vulnerability resides in the login mechanism of the Admin Panel, successful exploitation could allow attackers to gain unauthorized administrative access or extract sensitive user data, compromising the integrity and confidentiality of the grading system's data.

For European organizations, especially educational institutions or entities using the Simple Grading System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of student records and grading data. Unauthorized access to the admin panel could lead to data manipulation, unauthorized grade changes, or exposure of personal information, potentially violating GDPR and other data protection regulations. The remote and unauthenticated nature of the exploit increases the attack surface, allowing attackers to target vulnerable systems from anywhere. While the vulnerability does not directly impact availability, the potential for data breaches and unauthorized modifications could disrupt institutional operations and damage reputations. Organizations relying on this software without timely patching or mitigations may face compliance issues and increased risk of targeted attacks, especially as the exploit details are publicly available.

Since no official patches or updates are currently available for Simple Grading System 1.0, European organizations should implement the following specific mitigations: 1) Immediately restrict network access to the /login.php endpoint of the Admin Panel using firewall rules or web application firewalls (WAF) to limit exposure to trusted IP addresses only. 2) Employ input validation and parameterized queries at the application or database layer to prevent SQL injection, if source code access and modification are possible. 3) Monitor logs for unusual login attempts or SQL errors indicative of injection attempts. 4) Consider deploying runtime application self-protection (RASP) tools to detect and block injection attacks in real time. 5) If feasible, upgrade or migrate to a newer, patched version of the grading system or alternative software solutions with secure coding practices. 6) Conduct regular security assessments and penetration testing focused on injection vulnerabilities. 7) Educate IT and security teams about the vulnerability and ensure incident response plans are updated to handle potential exploitation scenarios.