CVE-2025-9763 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability resides in the /student_signup.php file, specifically in the processing of the 'Username' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially altering the intended SQL queries executed by the backend database. This can lead to unauthorized data access, data modification, or even complete compromise of the database. The vulnerability requires no authentication or user interaction, making it exploitable by any remote attacker with network access to the affected system. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated as low individually but combined can lead to significant data exposure or disruption. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. No patches or vendor advisories have been published yet, indicating that affected organizations must implement mitigations proactively. The vulnerability affects only version 1.0 of the Campcodes LMS, which is a niche product focused on online education environments.

For European organizations using Campcodes LMS version 1.0, this vulnerability poses a tangible risk of data breaches involving student information, including personally identifiable information (PII) and potentially sensitive academic records. Exploitation could lead to unauthorized disclosure or alteration of student data, undermining data integrity and privacy compliance obligations under GDPR. Additionally, attackers could disrupt LMS availability, impacting educational continuity. Given the remote and unauthenticated nature of the exploit, attackers could automate attacks at scale, targeting multiple institutions. The medium severity rating suggests moderate but non-negligible risk, especially for organizations lacking compensating controls such as web application firewalls or input validation. The absence of patches increases exposure duration, necessitating immediate mitigation. The impact is more pronounced for institutions with large student bodies or those handling sensitive educational data. Furthermore, reputational damage and regulatory penalties could arise from exploitation. Overall, the threat is significant for European educational institutions relying on this LMS version, especially those without robust cybersecurity defenses.

1. Immediate implementation of input validation and sanitization on the 'Username' parameter in /student_signup.php to prevent SQL injection. Employ parameterized queries or prepared statements in the application code. 2. Deploy a Web Application Firewall (WAF) configured to detect and block SQL injection patterns targeting the LMS. 3. Conduct a thorough security audit of the Campcodes LMS deployment to identify and remediate any additional injection points or vulnerabilities. 4. Restrict network access to the LMS server to trusted IP ranges where feasible, reducing exposure to remote attacks. 5. Monitor application logs and database logs for suspicious activities indicative of SQL injection attempts. 6. Engage with the vendor for patches or updates and plan for an upgrade to a fixed version once available. 7. Educate IT and security teams on this vulnerability and ensure incident response plans include scenarios involving LMS compromise. 8. Consider isolating the LMS environment within a segmented network zone to limit lateral movement in case of compromise.