CVE-2025-0212

MediumPublic PoC

Published: 04 January 2025

Published

04 January 2025

Modified

10 January 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 21.7th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0212 is a medium-severity Injection (CWE-74) vulnerability in Campcodes Student Grading System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection in /view_students.php by validating the 'id' argument against malicious payloads using defined tools and procedures.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific SQL injection flaw in Campcodes Student Grading System 1.0.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans the system to detect SQL injection vulnerabilities like CVE-2025-0212 in /view_students.php on a defined frequency.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app (/view_students.php) enables exploitation of public-facing applications (T1190), data collection from databases (T1213.006), and abuse of server software components (T1505) as mapped by advisories.

NVD Description

A vulnerability was found in Campcodes Student Grading System 1.0. It has been classified as critical. This affects an unknown part of the file /view_students.php. The manipulation of the argument id leads to sql injection. It is possible to initiate…

the attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-0212 is a critical SQL injection vulnerability in Campcodes Student Grading System 1.0, affecting the /view_students.php file through manipulation of the 'id' argument. Classified under CWE-74 and CWE-89, it enables attackers to inject malicious SQL payloads into database queries. The issue carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges.

Attackers with low-privileged user access (PR:L) can exploit this remotely without user interaction, potentially extracting sensitive data (C:L), modifying database contents (I:L), or disrupting service availability (A:L). The vulnerability allows remote initiation of SQL injection attacks on the affected endpoint.

Advisories from VulDB (ctiid.290157, id.290157, submit.474168) document the flaw and its public disclosure, while a GitHub repository provides a proof-of-concept exploit. The vendor site at campcodes.com offers no specific patch details in the referenced materials; practitioners should monitor for updates and apply input sanitization or parameterized queries to /view_students.php as interim mitigations.

The exploit has been publicly disclosed, increasing the risk of widespread abuse against unpatched instances of this system.

Details

CWE(s): CWE-74 CWE-89

Affected Products

campcodes

student grading system

1.0

CVEs Like This One

CVE-2025-7183Same vendor: Campcodes

CVE-2025-9744Same vendor: Campcodes

CVE-2025-0210Same vendor: Campcodes

CVE-2025-7220Same vendor: Campcodes

CVE-2025-7218Same vendor: Campcodes

CVE-2025-7219Same vendor: Campcodes

CVE-2026-0597Same vendor: Campcodes

CVE-2025-7217Same vendor: Campcodes

CVE-2024-57162Same vendor: Campcodes

CVE-2025-1379Shared CWE-74, CWE-89

References

https://github.com/shaturo1337/POCs/blob/main/SQL%20Injection%20in%20Student%20Grading%20System.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.290157
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.290157
Third Party Advisory · cna@vuldb.com
https://vuldb.com/?submit.474168
Third Party Advisory · cna@vuldb.com
https://www.campcodes.com/
Product · cna@vuldb.com