CVE-2025-9664 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Grading System, specifically within the /add_student_grade.php file of the Admin Panel component. The vulnerability arises from improper sanitization or validation of the 'Add' parameter, which allows an attacker to manipulate SQL queries executed by the application. This flaw enables remote attackers to inject arbitrary SQL commands without requiring authentication or user interaction, potentially leading to unauthorized data access or modification. The CVSS 4.0 vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L, indicating limited privileges but still accessible), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low, suggesting that while exploitation is possible, the scope of damage is limited, possibly due to restricted database permissions or partial query control. Although no known exploits are currently observed in the wild, the public release of the exploit code increases the risk of exploitation. The vulnerability affects only version 1.0 of the Simple Grading System, a product used for managing student grades, which is likely deployed in educational institutions or organizations managing academic records. The lack of available patches or updates at this time necessitates immediate attention to mitigate potential risks.

For European organizations, particularly educational institutions using the Simple Grading System 1.0, this vulnerability poses a risk of unauthorized access to sensitive student data, including grades and personal information. Exploitation could lead to data leakage, unauthorized grade modifications, or disruption of grading processes, undermining data integrity and trust in academic records. While the impact is assessed as medium due to limited privileges and low impact on confidentiality and availability, the exposure of academic data could have reputational and regulatory consequences, especially under GDPR regulations. The remote exploitability without user interaction increases the threat level, as attackers can automate attacks without requiring social engineering. Organizations relying on this system should consider the potential for targeted attacks aiming to manipulate academic outcomes or extract personal data, which could affect compliance and privacy obligations.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Restricting network access to the /add_student_grade.php endpoint by implementing IP whitelisting or VPN-only access to the Admin Panel; 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'Add' parameter; 3) Conducting code reviews and applying manual input validation and parameterized queries if source code access is available; 4) Monitoring logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint; 5) Isolating the grading system database with strict least-privilege access controls to limit potential damage; 6) Planning for an upgrade or migration to a patched or alternative grading system version once available; 7) Training IT staff to recognize exploitation indicators and respond promptly. These measures go beyond generic advice by focusing on access control, detection, and containment tailored to the specific vulnerable component and its usage context.