CVE-2025-9667 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Simple Grading System, specifically within the /delete_account.php file of the Admin Panel component. The vulnerability arises due to improper sanitization or validation of the 'ID' parameter, which an attacker can manipulate to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries against the backend database without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the database, potentially enabling attackers to read sensitive data, modify or delete records, or disrupt system operations. Although the CVSS score is moderate at 5.3, the exploitability is relatively straightforward due to low attack complexity and no user interaction needed. No patches or fixes have been published yet, and while there are no known exploits in the wild, the public availability of the exploit code increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche grading system likely used by educational institutions or small organizations for managing student grades and accounts.

For European organizations, especially educational institutions using the Simple Grading System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to student records, personal data, and administrative accounts, violating data protection regulations such as GDPR. The integrity of grading data could be compromised, undermining trust in academic records. Additionally, attackers could delete or alter accounts, causing denial of service or administrative disruption. The potential for data leakage or manipulation could result in reputational damage, legal penalties, and operational downtime. Given the administrative nature of the affected component, the impact extends beyond data theft to include possible full system compromise if attackers leverage the SQL injection to escalate privileges or pivot within the network.

Organizations should immediately audit their use of the Simple Grading System 1.0 and identify any instances of the vulnerable software. Since no official patch is currently available, mitigation should focus on implementing strict input validation and parameterized queries or prepared statements in the /delete_account.php script to prevent SQL injection. Web application firewalls (WAFs) can be deployed to detect and block malicious SQL payloads targeting the 'ID' parameter. Access to the Admin Panel should be restricted via network segmentation and strong authentication mechanisms to reduce exposure. Regular monitoring of logs for suspicious activity related to account deletion requests is recommended. Organizations should also consider upgrading to a newer, patched version of the software if available or migrating to alternative grading systems with better security track records. Finally, conducting security awareness training for administrators and developers on secure coding practices will help prevent similar vulnerabilities.