CVE-2025-9750 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The flaw exists in the /admin/login.php file, specifically in the handling of the 'Username' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This vulnerability is remotely exploitable without requiring authentication or user interaction, making it particularly dangerous. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network vector, no privileges required) and the potential impact on confidentiality, integrity, and availability, albeit with limited scope and impact. The vulnerability allows attackers to potentially bypass authentication, extract sensitive data, modify or delete data, or disrupt service availability. Although no public exploit is confirmed to be in widespread use, a proof-of-concept exploit has been released publicly, increasing the risk of exploitation. The lack of a patch or mitigation guidance from the vendor at this time further elevates the risk for organizations using this LMS version. Given the LMS context, educational institutions and organizations relying on Campcodes LMS are at risk of data breaches, unauthorized access, and operational disruption.

For European organizations, especially educational institutions, training providers, and corporate learning departments using Campcodes LMS 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to administrative functions, exposing sensitive user data such as personal information, academic records, and credentials. Data integrity could be compromised, affecting the reliability of educational records and assessments. Availability impacts could disrupt learning activities and administrative operations, causing reputational damage and compliance issues under GDPR due to potential data breaches. The remote, unauthenticated nature of the exploit increases the attack surface, making it easier for threat actors to target European entities without needing insider access. The public availability of exploit code further elevates the threat level, potentially leading to automated attacks or widespread exploitation campaigns targeting vulnerable LMS installations across Europe.

European organizations should immediately audit their LMS deployments to identify any instances of Campcodes Online Learning Management System version 1.0. Given the absence of an official patch, organizations should implement compensating controls such as deploying Web Application Firewalls (WAFs) with specific rules to detect and block SQL injection attempts targeting the /admin/login.php endpoint and the 'Username' parameter. Input validation and parameterized queries should be enforced if organizations have the capability to modify the LMS codebase. Restricting network access to the LMS admin interface to trusted IP ranges or VPNs can reduce exposure. Continuous monitoring of logs for suspicious login attempts or SQL errors indicative of injection attempts is critical. Organizations should also prepare incident response plans for potential data breaches and consider isolating the LMS environment until a vendor patch is available. Engaging with the vendor for updates and applying patches promptly upon release is essential.