CVE-2025-9663 is a medium-severity SQL Injection vulnerability affecting version 1.0 of the code-projects Simple Grading System, specifically within the Admin Panel component in the /edit_account.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability's CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, which suggests limited privileges but not full authentication), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit is publicly available, increasing the risk of exploitation, although no known active exploitation in the wild has been reported yet. The vulnerability could allow attackers to read, modify, or delete sensitive grading data or user account information stored in the database, potentially leading to data breaches or unauthorized privilege escalation within the grading system. Given the nature of the affected software—a grading system used in educational environments—the integrity and confidentiality of student grades and personal data are at risk. The vulnerability's presence in an administrative panel increases its criticality since administrative functions typically have elevated privileges and access to sensitive data. However, the medium severity rating reflects the limited scope of impact and the requirement for some level of privileges (PR:L) to exploit the flaw, which may restrict exploitation to users with some access to the system.

For European organizations, particularly educational institutions using the Simple Grading System 1.0, this vulnerability poses a risk to the confidentiality and integrity of student records and administrative data. Successful exploitation could lead to unauthorized access to sensitive personal information, manipulation of grades, or disruption of grading processes. This could result in reputational damage, legal liabilities under GDPR due to data breaches, and operational disruptions during academic cycles. Since the vulnerability allows remote exploitation without user interaction, attackers could potentially automate attacks to extract or alter data. The impact is heightened in institutions where the grading system is integrated with other administrative or identity management systems, potentially enabling lateral movement or privilege escalation. However, the medium severity and requirement for limited privileges suggest that exploitation may be constrained to insiders or users with some level of access, reducing the risk of widespread external attacks. Nonetheless, the availability of public exploits increases the urgency for mitigation to prevent opportunistic attacks.

Organizations should prioritize patching or upgrading the Simple Grading System to a version that addresses this vulnerability once available. In the absence of an official patch, immediate mitigations include implementing strict input validation and parameterized queries or prepared statements in the /edit_account.php script to prevent SQL injection. Restrict access to the Admin Panel by network segmentation, IP whitelisting, or VPN access to limit exposure to trusted users only. Employ web application firewalls (WAFs) configured to detect and block SQL injection attempts targeting the 'ID' parameter. Conduct regular code audits and penetration testing focusing on input handling in administrative interfaces. Additionally, monitor logs for unusual database queries or failed injection attempts. Educate administrative users on security best practices and enforce the principle of least privilege to minimize the number of users with access to vulnerable components. Finally, ensure regular backups of grading data to enable recovery in case of data tampering or loss.