01 · The Real Story
This is a sharp knife left in a toy kitchen, dangerous if you actually put it on the counter
CVE-2025-0210 is an unauthenticated SQL injection in Campcodes School Faculty Scheduling System 1.0, specifically the login handler at /admin/ajax.php?action=login. The public proof-of-concept shows the username parameter being concatenated directly into a SQL query, enabling blind time-based injection against the app's user database and likely admin auth bypass or data extraction. Publicly documented affected range is only version 1.0; I found no authoritative fixed release from Campcodes.
The vendor/CNA baseline of HIGH 7.3 overstates enterprise urgency. Technically this is a real pre-auth remote bug, but in the real world it sits in a niche educational PHP source-code project, not a mainstream enterprise platform, with very low EPSS, no KEV listing, and no visible evidence of broad attacker attention in the reviewed public sources. For a team managing 10,000 hosts, this belongs in backlog hygiene unless you knowingly run this app on an internet-facing server.
"Real bug, trivial exploit, but on a fringe PHP school app with almost no enterprise footprint"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Reach the exposed login endpoint
The attacker first needs HTTP access to
/admin/login.php and the AJAX backend /admin/ajax.php?action=login. This is plain web exposure, so tooling is trivial: a browser, curl, Burp Suite, or the public GitHub PoC is enough.Conditions required:
- The organization actually deploys Campcodes School Faculty Scheduling System 1.0
- The app is reachable over HTTP/HTTPS from the attacker position
Where this breaks in practice:
- Most enterprises do not run this niche Campcodes educational app at all
- Many real deployments of school scheduling apps are internal-only or abandoned lab installs, not internet-facing production assets
Detection/coverage: External ASM and web scanners can find the path if the site is exposed, but generic vuln scanners may miss the exact app fingerprint unless they probe this endpoint specifically.
STEP 02
Trigger blind SQL injection in username
The PoC shows
username flowing directly into SELECT * FROM users where username = '...' and password = '...', allowing time-based blind SQLi with payloads like SLEEP(7). Weaponization is straightforward with Burp Repeater or sqlmap, although this specific vector is blind rather than error-based, so exploitation is slower and noisier than a full echo-based injection.Conditions required:
- The vulnerable code path is unmodified from version 1.0
- The backend database executes injected timing functions
Where this breaks in practice:
- Blind SQLi requires multiple requests and timing analysis, which is slower than one-shot auth bypass in some environments
- WAFs, reverse proxies, or custom input filters may break common payloads even if the code is still vulnerable
Detection/coverage: WAF, reverse-proxy, and web-server logs may show repeated login POSTs containing quotes, comment markers, or timing probes. Signature-based scanners should catch the vulnerable query pattern if authenticated or path-aware checks exist.
STEP 03
Extract data or bypass app authentication
Once confirmed, the attacker can enumerate the schema, dump credential hashes, or manipulate the login condition to reach the application's admin functionality. The practical blast radius is usually the application database and whatever that app account can touch, not automatic host takeover.
Conditions required:
- The DB user backing the app has enough read/write privileges
- The target stores usable admin records or sensitive scheduling/personnel data
Where this breaks in practice:
- Impact is constrained to the app and its database permissions unless another weakness allows pivoting
- No reviewed source showed a published chained RCE from this bug alone
Detection/coverage: DB logs, slow-query logs, and WAF telemetry can expose timing-based extraction attempts. App-layer detection is decent if logging exists; many small PHP installs simply do not log enough.
STEP 04
Abuse the compromised app context
Post-exploitation use is likely credential recovery, admin-panel abuse, data tampering, or using the compromised web app as a foothold on an already weak server. This is where risk becomes environment-specific: a throwaway demo site is low consequence, while a live student/staff system exposed to the internet is materially worse.
Conditions required:
- The app stores real data or shares credentials with other systems
- The host is poorly segmented or reused for other workloads
Where this breaks in practice:
- Modern enterprises usually isolate low-value web apps and do not reuse app DB credentials broadly
- There is no source-backed indication this CVE alone yields direct OS command execution
Detection/coverage: EDR will not help much until activity leaves the web stack. Detection depends more on web logs, DB audit logs, and unusual admin actions in the application.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No authoritative public evidence found in reviewed sources that this CVE is being exploited at scale. It is not listed in CISA KEV. |
|---|---|
| KEV status | Not KEV-listed as of the reviewed CISA KEV catalog page. |
| Proof-of-concept availability | Public PoC exists: John Alan Correche / shaturo1337 published a GitHub markdown PoC showing the vulnerable query and a time-based payload. |
| EPSS | 0.0009 from your intel block, which is extremely low and consistent with a fringe product seeing little attacker attention. I did not find an authoritative per-CVE FIRST result page in-browser, only FIRST's EPSS methodology pages. |
| CVSS baseline | CNA/vendor baseline in your intel is 7.3 HIGH with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. NVD/OSV also show enrichment describing the same issue, and public mirrors show a CVSS v4.0 6.9 MEDIUM entry from VulDB. |
| Weakness class | SQL injection in the login flow. Public sources map it broadly to CWE-74, while VulDB and the PoC make the more specific CWE-89 interpretation obvious. |
| Affected versions | Reviewed sources only identify Campcodes School Faculty Scheduling System 1.0 as affected. |
| Fixed version | No authoritative fixed version found. Campcodes appears to distribute this as downloadable source code rather than a strongly versioned supported enterprise product. |
| Exposure reality | Downward pressure is strong. This is a niche educational PHP sample app from Campcodes, so the exposed population in a typical enterprise estate is likely near zero unless you specifically host school/lab projects. |
| Disclosure | Published 2025-01-04; public references indicate the record was updated around 2025-01-10. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (3.4/10)
The decisive factor is exposure population: this is a fringe Campcodes educational PHP app that most enterprises simply do not run, so the reachable victim set is tiny. Even when present, the blast radius is usually the web app and its database context rather than immediate cross-environment compromise.
HIGH Technical existence of the SQL injection
MEDIUM Assessment that real-world enterprise exposure is very limited
MEDIUM Conclusion that impact is usually app/database scoped, not host takeover
Why this verdict
- Start at vendor HIGH 7.3 because this is pre-auth remote SQL injection on a login endpoint with a public PoC.
- Downgrade for attacker economics because the target is a niche Campcodes educational/source-code application, not a common enterprise platform, which sharply narrows the victim pool.
- Downgrade for real deployment patterns because this kind of PHP school project is often labware, internal-only, or abandoned content rather than a hardened, internet-facing business-critical service.
- Downgrade for blast radius because the sourced evidence supports app/database compromise, auth bypass, and data manipulation, but not a demonstrated direct OS-level RCE chain.
- Hold above IGNORE because if you do have this app exposed, exploitation is easy, unauthenticated, and operationally useful to an attacker.
Why not higher?
A higher score would require a broader exposed population, active exploitation evidence, KEV inclusion, or a clearer path to cross-host compromise. None of that showed up in the reviewed sources. This bug is serious on the individual app, but not strategically important across a normal enterprise fleet.
Why not lower?
It is not IGNORE because the vulnerability is real, reachable over the network, and backed by public proof-of-concept details. If an exposed instance exists in your environment, an unauthenticated attacker can likely extract data or bypass the app's login with very little effort.
05 · Compensating Control
What to do — in priority order.
- Inventory the app — Search ASM, CMDB, repo mirrors, and VM/web-server content for
School Faculty Scheduling System,/admin/ajax.php?action=login, or the vulnerable SQL string. For a LOW verdict there is no SLA (treat as backlog hygiene), but do this in the next normal hygiene cycle so you can quickly close as not applicable or isolate the rare instance you do have. - Restrict admin paths — If you find a live instance, put
/admin/behind VPN, IP allowlisting, or reverse-proxy authentication. This reduces exposure immediately and is the fastest containment step for a PHP app with no clear vendor patch; for LOW there is no SLA (treat as backlog hygiene). - Add a WAF rule — Block or challenge SQLi patterns on the login POST to
/admin/ajax.php?action=login, especially quote-plus-comment and timing-function payloads. This is only a compensating control, but it meaningfully raises attacker cost on exposed instances; again, LOW means no SLA (treat as backlog hygiene). - Patch locally or retire it — Because no authoritative fixed release was located, the practical fix may be code-level remediation: parameterize the query in
admin/ajax.phpor remove the app entirely if it is non-production sampleware. For LOW there is no SLA (treat as backlog hygiene), so route it through normal application maintenance instead of emergency patch lanes.
What doesn't work
- Relying on EDR alone does not help much because the exploit happens inside normal web and database traffic before any obvious endpoint behavior appears.
- Forcing MFA on the app login does not fix pre-auth SQL injection in the login handler itself.
- Generic network segmentation is not enough if the app is already internet-facing through a reverse proxy or school portal.
06 · Verification
Crowdsourced verification payload.
Run this on the target web server that hosts the application source, not from your auditor workstation. Invoke it as bash check_cve_2025_0210.sh /var/www/html/scheduling with read access to the app files; root is not required unless the web root is restricted.
#!/usr/bin/env bash
# check_cve_2025_0210.sh
# Detect likely vulnerable Campcodes School Faculty Scheduling System 1.0 login code.
# Usage: bash check_cve_2025_0210.sh /path/to/app
# Exit codes: 0 PATCHED, 1 VULNERABLE, 2 UNKNOWN / usage / path problem
set -u
APP_PATH="${1:-}"
if [[ -z "$APP_PATH" ]]; then
echo "UNKNOWN - usage: $0 /path/to/app"
exit 2
fi
TARGET_FILE="$APP_PATH/admin/ajax.php"
if [[ ! -f "$TARGET_FILE" ]]; then
echo "UNKNOWN - file not found: $TARGET_FILE"
exit 2
fi
# Normalize path for messages
TARGET_FILE="$(cd "$(dirname "$TARGET_FILE")" && pwd)/$(basename "$TARGET_FILE")"
# Heuristics:
# 1) vulnerable function name present
# 2) direct concatenation of $username into SQL query
# 3) login action endpoint likely exists in this app tree
has_login_fn=0
has_username_concat=0
has_password_concat=0
has_users_query=0
if grep -Eq 'function[[:space:]]+login[[:space:]]*\(' "$TARGET_FILE"; then
has_login_fn=1
fi
if grep -Eq "username[[:space:]]*=.*\$username|where username = '\"\.\$username\.\"'|where username = '\''\.\$username\.\''" "$TARGET_FILE"; then
has_username_concat=1
fi
if grep -Eq "password[[:space:]]*=.*md5\(\$password\)|password = '\"\.md5\(\$password\)\.\"'|password = '\''\.md5\(\$password\)\.\''" "$TARGET_FILE"; then
has_password_concat=1
fi
if grep -Eq 'SELECT \* FROM users|select \* from users' "$TARGET_FILE"; then
has_users_query=1
fi
# Stronger exact pattern match from public PoC/source snippet
if grep -Fq "SELECT * FROM users where username = '" "$TARGET_FILE" && grep -Fq "and password = '" "$TARGET_FILE"; then
echo "VULNERABLE - found login query with direct username/password concatenation in $TARGET_FILE"
exit 1
fi
# Secondary heuristic match
if [[ $has_login_fn -eq 1 && $has_username_concat -eq 1 && $has_users_query -eq 1 ]]; then
echo "VULNERABLE - likely matching vulnerable login code pattern in $TARGET_FILE"
exit 1
fi
# Look for signs of remediation: prepared statements or parameter binding in file
if grep -Eiq 'prepare\(|bind_param\(|PDO\(|execute\(' "$TARGET_FILE"; then
echo "PATCHED - no vulnerable query pattern found and prepared-statement indicators exist in $TARGET_FILE"
exit 0
fi
# If file exists but pattern is unclear, return UNKNOWN rather than over-claiming
if [[ $has_login_fn -eq 1 || $has_users_query -eq 1 || $has_password_concat -eq 1 ]]; then
echo "UNKNOWN - app file present but vulnerable pattern not conclusively identified in $TARGET_FILE"
exit 2
fi
echo "PATCHED - vulnerable Campcodes login query pattern not found in $TARGET_FILE"
exit 0
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, have your team search asset inventory, web roots, and source mirrors for this Campcodes app and the path
/admin/ajax.php?action=login; most enterprises will find nothing and should close it as not applicable. If you do find an instance, treat it as low-value app hygiene: restrict or remove internet exposure and either locally parameterize the query or retire the app in the next maintenance cycle. There is no noisgate mitigation SLA and no noisgate remediation SLA for a LOW verdict, so keep this out of emergency patch queues unless you confirm a live exposed deployment.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.