CVE-2025-9786 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Learning Management System (LMS). The vulnerability exists in the /teacher_signup.php file, specifically in the handling of the 'firstname' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. While the exact extent of affected parameters beyond 'firstname' is unknown, the presence of additional vulnerable inputs cannot be ruled out. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector highlighting no privileges required, no user interaction, and low complexity of attack. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability could allow attackers to read or alter sensitive data stored in the LMS database. No patches or fixes have been publicly linked yet, and no known exploits in the wild have been reported, though a public exploit is available, increasing the risk of exploitation.

For European organizations using Campcodes LMS version 1.0, this vulnerability poses a tangible risk to the confidentiality and integrity of sensitive educational data, including teacher and student information. Successful exploitation could lead to unauthorized data disclosure, data tampering, or disruption of LMS services, potentially impacting educational continuity and compliance with data protection regulations such as GDPR. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in institutions with internet-facing LMS deployments. The medium severity score reflects a moderate risk, but the presence of a public exploit elevates the urgency for mitigation. Organizations may face reputational damage, legal consequences, and operational disruptions if the vulnerability is exploited.

European organizations should immediately assess their use of Campcodes LMS version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations should implement web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'firstname' parameter and other input fields in /teacher_signup.php. Input validation and parameterized queries should be enforced at the application level to prevent injection. Network segmentation and restricting access to the LMS server to trusted IP ranges can reduce exposure. Regular monitoring of logs for suspicious SQL errors or unusual database queries is recommended to detect potential exploitation attempts. Additionally, organizations should review and tighten database user permissions to limit the impact of any successful injection. Finally, maintaining up-to-date backups of LMS data will aid in recovery if data integrity is compromised.