CVE-2025-9751 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability exists in the /login.php file, specifically in the processing of the 'Username' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This type of injection flaw can lead to unauthorized data disclosure, data modification, or even complete compromise of the database server. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with attack vector network (remote), low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is rated low individually but collectively significant enough to warrant concern. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The lack of available patches or mitigations from the vendor further elevates the threat level for users of this LMS version.

For European organizations using Campcodes LMS version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive educational data, including student records, grades, and personal information. Exploitation could lead to unauthorized data access, data tampering, or disruption of LMS services, impacting the availability of critical educational platforms. Given the remote exploitability without authentication, attackers could target multiple institutions simultaneously, potentially leading to widespread data breaches or service outages. The educational sector in Europe is increasingly digitized, and such a vulnerability could undermine trust in online learning platforms, disrupt educational continuity, and expose organizations to regulatory penalties under GDPR due to data breaches. Furthermore, the public availability of exploit code increases the likelihood of opportunistic attacks, including by cybercriminal groups targeting educational institutions for data theft or ransomware deployment.

European organizations should immediately assess their use of Campcodes LMS version 1.0 and prioritize upgrading to a patched or newer version once available. In the absence of an official patch, organizations should implement web application firewalls (WAFs) with specific rules to detect and block SQL injection attempts targeting the /login.php endpoint and the Username parameter. Input validation and parameterized queries should be enforced at the application level to sanitize user inputs. Network segmentation can limit the exposure of the LMS backend database to only necessary systems. Regular monitoring of logs for suspicious login attempts or SQL error messages can help detect exploitation attempts early. Organizations should also conduct penetration testing focused on injection flaws and ensure backups of LMS data are current and securely stored to enable recovery in case of compromise. Finally, raising user awareness about the risks and encouraging reporting of anomalies can enhance detection and response capabilities.