CVE-2025-9665 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Grading System, specifically within the Admin Panel component's /edit_student.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is manipulated to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database. The vulnerability does not require user interaction and can be exploited remotely without prior authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, reflecting a medium severity due to the limited scope of impact and the requirement of low privileges (PR:L) but no user interaction or authentication. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), indicating that an attacker could potentially read or modify some data and cause partial disruption but not full system compromise. No patches or fixes have been published yet, and while the exploit code is publicly available, there are no known active exploits in the wild at this time. The vulnerability affects only version 1.0 of the Simple Grading System, a product used for managing grading data, likely deployed in educational institutions or administrative environments. The attack vector is network-based (AV:N), making it accessible to attackers over the internet or internal networks where the system is reachable.

For European organizations, particularly educational institutions or administrative bodies using the Simple Grading System 1.0, this vulnerability poses a risk of unauthorized data access and modification. Attackers exploiting this SQL Injection could extract sensitive student information, alter grading records, or disrupt system availability, undermining data integrity and trust in academic processes. The breach of confidentiality could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Although the vulnerability requires low privileges, the lack of authentication requirement means attackers can attempt exploitation remotely, increasing exposure. The impact is more pronounced in organizations that have not implemented compensating controls such as web application firewalls or network segmentation. Additionally, the absence of a patch means organizations must rely on mitigation strategies to reduce risk until an official fix is released.

1. Immediate implementation of input validation and parameterized queries or prepared statements in the /edit_student.php file to prevent SQL Injection. 2. Deploy Web Application Firewalls (WAFs) with rules specifically targeting SQL Injection patterns to block malicious requests targeting the 'ID' parameter. 3. Restrict network access to the Admin Panel by limiting IP ranges and enforcing VPN or zero-trust access models to reduce exposure. 4. Conduct thorough code audits and penetration testing on the Simple Grading System to identify and remediate similar injection points. 5. Monitor logs for unusual database query patterns or repeated failed attempts to manipulate the 'ID' parameter. 6. Plan and prioritize upgrading or patching the Simple Grading System once a vendor fix becomes available. 7. Educate system administrators on the risks and signs of SQL Injection attacks to enable rapid detection and response.