CVE-2025-9679 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the itsourcecode Student Information System (SIS). The vulnerability resides in the /course_edit1.php file, specifically involving the manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw without requiring authentication or user interaction. By injecting malicious SQL code into the 'ID' parameter, the attacker can manipulate backend database queries. This can lead to unauthorized data access, data modification, or potentially database corruption. The CVSS 4.0 base score is 6.9, reflecting a network attack vector with low complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is rated low individually but combined leads to a medium overall severity. No official patches or fixes have been published yet, and while no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a student information system typically used by educational institutions to manage student data, courses, and related academic information.

For European organizations, particularly educational institutions using the itsourcecode Student Information System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive student and academic data. Exploitation could lead to unauthorized disclosure of personal information, academic records, or manipulation of course data, potentially undermining institutional trust and compliance with data protection regulations such as GDPR. Availability impact is less severe but could still occur if database integrity is compromised. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in environments where the SIS is exposed to the internet or insufficiently segmented networks. Given the critical role of student information systems in academic administration, exploitation could disrupt educational operations and lead to reputational damage and regulatory penalties.

Organizations should immediately conduct an inventory to identify any deployments of itsourcecode Student Information System version 1.0. Since no official patch is currently available, mitigation should focus on implementing compensating controls: 1) Restrict network access to the SIS application, limiting it to trusted internal networks or VPNs. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'ID' parameter in /course_edit1.php. 3) Conduct thorough input validation and sanitization on all user-supplied parameters, especially 'ID', to prevent injection. 4) Monitor application and database logs for suspicious queries or anomalies indicative of exploitation attempts. 5) Plan for an urgent upgrade or patch deployment once the vendor releases a fix. 6) Educate IT staff about the vulnerability and ensure incident response plans include this threat. 7) If possible, isolate the SIS database with strict access controls and use database-level protections such as least privilege accounts and query parameterization.