CVE Alert: CVE-2025-10425 – 1000projects – Online Student Project Report Submission and Evaluation System
CVE-2025-10425
A vulnerability was identified in 1000projects Online Student Project Report Submission and Evaluation System 1.0. The impacted element is an unknown function of the file /admin/controller/student_controller.php. Such manipulation of the argument new_image leads to unrestricted upload. The attack may be performed from remote. The exploit is publicly available and might be used.
AI Summary Analysis
Risk verdict
High risk: remote unrestricted file upload with a publicly available exploit pathway, enabling potential remote code execution on web-facing installations.
Why this matters
Unauthorised upload of arbitrary content can lead to server compromise, data leakage of student information, and disruption of submission/evaluation workflows. In educational environments, this threatens integrity of records, regulatory posture, and reputational risk if attackers pivot to other systems or exfiltrate credentials.
Most likely attack path
Accessible admin-endpoint enables an unauthenticated user to manipulate the image upload parameter, bypassing access controls. The exploit requires no user interaction and uses a network-based vector with low complexity, raising the bar for automation and rapid propagation within a compromised host. Impact remains partial per CVSS metrics unless subsequent code execution occurs.
Who is most exposed
Universities or schools using the 1000projects online system, especially those deployed on LAMP-style stacks with public admin interfaces. Organisations hosting student submission portals or evaluation modules are most at risk.
Detection ideas
- Repeated requests to admin/controller/student_controller.php with manipulated new_image values.
- Upload attempts of files with suspicious extensions or MIME types, especially PHP/ASN scripts.
- Uploads stored outside the web root or with executable permissions in the uploads directory.
- Anomalous spikes in file upload size or frequency from single IPs.
- Web server error patterns indicating execution of uploaded content.
Mitigation and prioritisation
- Apply available patch or upgrade to fixed version immediately; if unavailable, implement compensating controls.
- Enforce strict upload validation: allow-listed MIME types, file extensions, and content checks; reject PHP/JS payloads.
- Store uploads outside the web root; disable execution in the uploads directory; implement content-scanning on ingestion.
- Strengthen access controls around the admin endpoint; require authentication and tiered privileges.
- Logging and alerting: monitor for anomalous new_image submissions and post-upload file activity.
- If KEV true or EPSS ≥ 0.5, treat as priority 1. Otherwise, escalate to high with rapid mitigation and testing in a staging environment.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
