Login Sign Up

CVE-2025-9662

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2025-9662 is an SQL injection vulnerability in Simple Grading System 1.0's admin panel login.php file. Attackers can execute arbitrary SQL commands remotely, potentially compromising the database. All deployments of Simple Grading System 1.0 are affected.

💻 Affected Systems

Products:
  • Simple Grading System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the admin panel component specifically at /login.php. Any installation with this file accessible is vulnerable.

📦 What is this software?

Simple Grading System by Fabian

View all CVEs affecting Simple Grading System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive student/grade data, potential admin account takeover, and database manipulation.

🟢

If Mitigated

Limited impact with proper input validation, WAF rules, and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly disclosed and SQL injection is a well-understood attack vector with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch, implement workarounds. 3. Consider migrating to alternative software if unmaintained.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or prepared statements to login.php to prevent SQL injection.

Modify login.php to use PDO or mysqli prepared statements instead of direct SQL concatenation.

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting /login.php.

Configure WAF to detect and block SQL injection attempts with rules like OWASP CRS 942xxx series.

🧯 If You Can't Patch

  • Restrict network access to the admin panel using firewall rules or IP whitelisting.
  • Implement strong database permissions limiting the application user to only necessary operations.

🔍 How to Verify

Check if Vulnerable:

Test /login.php with SQL injection payloads (e.g., ' OR '1'='1) and observe if it returns unexpected data or errors.

Check Version:

Check the software version in the application interface or configuration files.

Verify Fix Applied:

Retest with SQL injection payloads after applying fixes; successful attacks should be blocked with no data leakage.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts with SQL-like patterns
  • Admin panel access from unexpected IPs

Network Indicators:

  • HTTP requests to /login.php containing SQL keywords (e.g., UNION, SELECT, OR)

SIEM Query:

source="web_logs" AND uri="/login.php" AND (request LIKE "%OR%" OR request LIKE "%UNION%" OR request LIKE "%SELECT%")

📊 Metadata

CVE ID: CVE-2025-9662
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.03% exploit probability (7.4th percentile)
Published: August 29, 2025
Last Updated: September 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9662, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)