CVE-2025-9664 Overview
CVE-2025-9664 is a SQL injection vulnerability in code-projects Simple Grading System 1.0. The flaw resides in the /add_student_grade.php file within the Admin Panel component. Attackers can manipulate the Add argument to inject arbitrary SQL statements into the application's database queries [CWE-74].
The vulnerability is exploitable remotely over the network and requires low-level privileges. Public exploit details have been released, increasing the likelihood of opportunistic attacks against exposed instances.
Critical Impact
Authenticated attackers can inject SQL commands through the Admin Panel to read, modify, or delete grading records and potentially access other database contents.
Affected Products
- Fabian Simple Grading System 1.0
- /add_student_grade.php endpoint within the Admin Panel component
- Deployments referenced under CPE cpe:2.3:a:fabian:simple_grading_system:1.0
Discovery Timeline
- 2025-08-29 - CVE-2025-9664 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-9664
Vulnerability Analysis
The vulnerability is a SQL injection flaw in the administrative grade submission workflow. The /add_student_grade.php script processes the Add parameter without proper sanitization or parameterized queries. An authenticated attacker with access to the Admin Panel can supply crafted input that breaks out of the intended SQL context.
Because the application concatenates user-supplied data directly into SQL statements, the database executes attacker-controlled queries. The EPSS score for this issue is 0.064% with a percentile of 20.143, indicating limited observed exploitation activity at this time.
Root Cause
The root cause is improper neutralization of special elements in a downstream component, classified under [CWE-74]. The add_student_grade.php handler trusts the Add request parameter and embeds it into SQL queries without using prepared statements or input validation. This allows characters such as single quotes, comments, and statement terminators to alter query semantics.
Attack Vector
Exploitation occurs remotely over HTTP against the Admin Panel. An attacker must hold a low-privileged Admin Panel account to reach the vulnerable endpoint. Once authenticated, the attacker sends a POST or GET request to /add_student_grade.php with a malicious Add value containing SQL syntax such as a UNION SELECT or boolean-based payload. The backend then executes the injected SQL against the grading database.
No specialized tooling is required, and the exploit has been publicly disclosed through VulDB submission #637255 and supporting research notes. See the VulDB entry for ID 321871 and the Yuque research document for additional technical context.
Detection Methods for CVE-2025-9664
Indicators of Compromise
- HTTP requests to /add_student_grade.php containing SQL metacharacters such as single quotes, --, UNION, SELECT, or SLEEP in the Add parameter.
- Unexpected database errors or anomalous query patterns originating from the Simple Grading System backend.
- New or modified rows in grading tables that do not correlate to legitimate administrative activity.
Detection Strategies
- Inspect web server access logs for requests targeting /add_student_grade.php with unusually long or encoded Add parameter values.
- Deploy web application firewall rules that flag classic SQL injection signatures against the Admin Panel endpoints.
- Correlate authentication events for Admin Panel accounts with subsequent database query anomalies to identify abuse of low-privileged credentials.
Monitoring Recommendations
- Enable verbose query logging on the MySQL or MariaDB instance backing the application and alert on syntactically invalid statements.
- Monitor outbound connections from the web server to detect data exfiltration following a successful injection.
- Track failed and successful logins to the Admin Panel for brute-force patterns that may precede exploitation.
How to Mitigate CVE-2025-9664
Immediate Actions Required
- Restrict access to the Admin Panel to trusted networks using IP allowlists or VPN-only access until a fix is applied.
- Audit all Admin Panel accounts and disable any unused or default credentials that could be leveraged to reach the vulnerable endpoint.
- Review database logs for evidence of prior exploitation against /add_student_grade.php.
Patch Information
No official vendor patch is listed in the available references for Fabian Simple Grading System 1.0. Operators should monitor the code-projects.org site for updates and consider replacing the application if a maintained fork is unavailable.
Workarounds
- Place the application behind a web application firewall configured to block SQL injection payloads targeting the Add parameter.
- Modify add_student_grade.php locally to use parameterized queries or prepared statements via PDO or mysqli with bound parameters.
- Apply server-side input validation that constrains the Add parameter to expected numeric or alphanumeric values.
# Example ModSecurity rule to block SQL injection attempts against the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /add_student_grade.php" \
"id:1009664,phase:2,deny,status:403,\
msg:'Possible CVE-2025-9664 SQLi attempt',\
chain"
SecRule ARGS:Add "@detectSQLi" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

