CVE Alert: CVE-2025-9763 – Campcodes – Online Learning Management System

Risk verdict

High risk: remote, unauthenticated SQL injection with a publicly available exploit increases the likelihood of data exposure and service impact.

Why this matters

The vulnerability targets a web-facing signup endpoint, enabling attackers to manipulate database queries without user credentials. Potential outcomes include data leakage, modification of records, or disruption of student registrations, which can undermine trust, regulatory compliance, and operational continuity for education providers.

Most likely attack path

ATT&CK-style inference: an attacker sends crafted input to the Username parameter of /student_signup.php (no UI interaction, network access). The injection alters SQL statements executed by the backend, potentially exfiltrating or modifying data due to unauthenticated, network-level access. The impact is data confidentiality, integrity, and availability at the database layer, with limited preconditions beyond accessible web app traffic.

Who is most exposed

Web-facing Campcodes LMS deployments, common in educational institutions or private training providers, especially those hosted on shared/public infrastructure where signup endpoints are exposed to the internet.

Detection ideas

• Web logs show SQL error messages or unusual query patterns from signup requests.
• Requests contain typical SQLi payloads (quotes, UNION, tautologies) targeting Username.
• Spike in DB errors or slow queries around /student_signup.php.
• WAF/logs trigger on SQL injection signatures or evasion attempts.
• Repeated, successful signup attempts from diverse IPs with anomalous usernames.

Mitigation and prioritisation

• Patch or upgrade to a fixed version; ensure signup queries are parameterised (prepared statements) and input is validated.
• Apply least-privilege DB access for the web app account; restrict schema access to necessary operations.
• Implement robust input sanitisation, error handling, and disable verbose DB error output to users.
• Deploy or tune a WAF with SQLi signatures; monitor signup endpoints for anomalies; establish alerting.
• Change-management: test fixes in staging, plan production rollout, verify data integrity post-patch.
• If KEV true or EPSS ≥ 0.5, treat as priority 1.