CVE-2025-9665 in Simple Grading Systeminfo

Summary

by MITRE • 08/29/2025

A weakness has been identified in code-projects Simple Grading System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_student.php of the component Admin Panel. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/09/2025

The vulnerability identified in CVE-2025-9665 represents a critical sql injection flaw within the code-projects Simple Grading System version 1.0, specifically affecting the administrative panel functionality. This weakness resides in the /edit_student.php file where improper input validation allows malicious actors to manipulate the ID argument parameter, creating an avenue for unauthorized database access and potential system compromise. The vulnerability's classification aligns with CWE-89 which specifically addresses sql injection vulnerabilities that occur when untrusted data is incorporated into sql queries without proper sanitization or parameterization. The attack vector is remote, meaning that malicious actors can exploit this vulnerability without requiring physical access to the system, making it particularly dangerous for web-based applications.

The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could enable attackers to execute arbitrary sql commands against the underlying database. This capability allows for data modification, deletion, or unauthorized access to sensitive student information, potentially exposing personal details, academic records, and grading data. The vulnerability's public exploit availability significantly increases the risk profile, as it removes the barrier to entry for potential attackers who may not possess advanced technical skills to develop custom exploitation techniques. Attackers can leverage this vulnerability to escalate privileges within the system, potentially gaining administrative control over the entire grading platform. According to ATT&CK framework, this vulnerability maps to T1190 - Exploit Public-Facing Application, demonstrating how publicly accessible web applications serve as primary attack vectors for sql injection exploits.

Mitigation strategies should focus on implementing robust input validation and parameterized queries throughout the application codebase, particularly within the administrative components where this vulnerability was discovered. The implementation of prepared statements and stored procedures would effectively prevent the sql injection attack by separating sql command structure from data values. Additionally, proper access controls and authentication mechanisms should be enforced within the admin panel to limit unauthorized access attempts. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities across the entire application codebase, as this flaw may indicate broader security weaknesses in the application architecture. Network segmentation and web application firewalls should be deployed to monitor and filter malicious traffic attempting to exploit this vulnerability, while also implementing proper logging and monitoring to detect suspicious activities in real-time. The vulnerability's classification as a remote exploit underscores the importance of maintaining up-to-date security patches and conducting regular vulnerability assessments to prevent unauthorized access to sensitive educational data systems.

Responsible

VulDB

Disclosure

08/29/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00351

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!