01 · The Real Story
This is a janitor key left behind the admin desk, not a front-door skeleton key
CVE-2025-0211 is a file inclusion bug in Campcodes School Faculty Scheduling System 1.0, specifically in /admin/index.php, where the page parameter is passed straight into include $page.'.php'. The public PoC shows php://filter/convert.base64-encode/resource=index, which turns this into authenticated local file read of PHP source and likely configuration material. Authoritative records only identify version 1.0 as affected; I did not find a vendor-fixed release or distro backport.
The vendor/CNA 6.3 MEDIUM is closer to reality than NVD's 9.8 CRITICAL. The decisive friction is PR:L: this sits behind the admin/staff side, so the attacker generally needs valid credentials or an existing session before the bug matters. That makes it a post-initial-access amplifier with partial impact, not an internet-scale unauthenticated takeover.
"Authenticated file read in a niche PHP app: real issue, but not the five-alarm fire NVD makes it look like."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Find an exposed admin portal
The attacker identifies a Campcodes deployment and reaches the admin/staff entry point under
/admin. Campcodes' own project page documents the admin side and default local URL structure, which reduces recon cost for anyone hunting these installs.Conditions required:
- A School Faculty Scheduling System 1.0 instance is reachable over HTTP/HTTPS
- The admin/staff interface is exposed beyond localhost or a trusted network
Where this breaks in practice:
- This is a niche freeware PHP project, not a common enterprise platform
- Many installs are likely lab, dev, or single-school deployments rather than internet-facing production apps
- Reverse proxies, VPN-only exposure, or simple IP ACLs often remove reachability entirely
Detection/coverage: External attack-surface scanners can usually find
/admin paths, but generic vuln scanners may miss product identification unless the site branding is intact.STEP 02
Get low-privileged access
The CVSS and PoC both imply authenticated use. In practice that means stolen staff credentials, password reuse, or an unchanged weak/default admin account; Campcodes' setup page publishes example admin credentials (
admin / admin123) for local testing, which is dangerous if operators never change them.Conditions required:
- Valid staff/admin credentials or a hijacked authenticated session
- The target did not put strong auth controls in front of the app
Where this breaks in practice:
- This is the biggest severity brake: the attacker is already past initial access or abusing poor credential hygiene
- MFA, SSO front-ends, VPN gating, and account lockout materially raise the cost
Detection/coverage: IAM, reverse proxy, and web server logs can show logins from new IPs, password spraying, or suspicious session reuse; vuln scanners do not prove exploitability here without credentials.
STEP 03
Exploit the page include with php://filter
Using a browser,
curl, or Burp Suite, the attacker requests /admin/index.php?page=php://filter/convert.base64-encode/resource=index as shown in the public GitHub PoC. Because the application appends .php and directly includes the user-controlled value, the response can disclose base64-encoded PHP source instead of rendering a legitimate page.Conditions required:
- Authenticated access to
/admin/index.php - The vulnerable include statement is still present in the deployed code
Where this breaks in practice:
- Impact demonstrated publicly is file read, not proven RCE
- Useful follow-on access depends on what readable files exist and where secrets are stored
- Some PHP hardening or application error handling may limit which wrappers or paths work
Detection/coverage: WAFs and web logs can catch
php://filter, convert.base64-encode, or abnormal page= values. Signature coverage is straightforward if you know the route, but many organizations will not have product-specific rules.STEP 04
Mine disclosed files for pivot material
Once source or config files are readable, the attacker can look for database credentials, session settings, filesystem paths, and application logic flaws. That can enable broader compromise, but that is a second-stage chain, not something this CVE alone guarantees.
Conditions required:
- Readable files contain secrets or operationally useful code
- Backend services are reachable and accept the leaked credentials
Where this breaks in practice:
- No public advisory demonstrates a full chain from this bug to host takeover
- Separate network controls, secret rotation, or DB bind restrictions may block the pivot
- Blast radius is usually one app instance, not an enterprise-wide control plane
Detection/coverage: Look for anomalous reads followed by DB logins from the web tier, new session creation, or unusual admin activity. EDR on the host may see follow-on tooling, but not the initial file-read itself.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No confirmed active exploitation found in primary sources reviewed. CISA ADP SSVC marks Exploitation: poc, Automatable: no, Technical Impact: partial via the CVE enrichment visible through OpenCVE. |
|---|---|
| Public PoC | Yes. A public GitHub PoC by shaturo1337 / credited researcher John Correche shows the vulnerable code and an authenticated HTTP request using php://filter. |
| EPSS | User-supplied EPSS is 0.00107 (~0.107%), which is very low and consistent with niche-product, post-auth exploitation. I did not verify a current percentile from a primary FIRST per-CVE feed during this review. |
| KEV status | Not listed in CISA's Known Exploited Vulnerabilities Catalog based on catalog search results reviewed. |
| CVSS reality check | CNA/VulDB scored it 6.3 MEDIUM (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), which fits an authenticated partial-impact file-read. NVD separately enriched it to 9.8 CRITICAL, apparently treating it like unauthenticated total compromise; that overstates real-world reachability. |
| Affected versions | Authoritative records identify Campcodes School Faculty Scheduling System 1.0 as affected. OSV shows last_affected: 1.0; no narrower fixed sub-build was published. |
| Fixed version | No vendor-fixed version, patch advisory, or distro backport located. Treat this as patch-unavailable unless your team locally hardens the code. |
| Exposure population | Likely small and long-tail. This is a free PHP/MySQL project distributed as downloadable source code for XAMPP/LAMP-style installs, not a broadly managed enterprise product. |
| Scanning/exposure data | I found no reliable Shodan/Censys/FOFA signature data specific to this product during review. That absence is not proof of safety, but it argues against mass internet prevalence. |
| Disclosure and credit | Reserved 2025-01-03, published 2025-01-04. Reported/credited to John Correche. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to MEDIUM (4.4/10)
The single most important factor is the attacker position requirement: this is an authenticated admin-side bug, which usually implies prior access or weak credential hygiene before the CVE even enters play. That sharply narrows the exposed population and keeps the blast radius closer to one web app instance than an internet-scale edge compromise.
HIGH Exploit mechanics and affected file path
MEDIUM Real-world exposure population
MEDIUM Need for authentication based on CNA vector, PoC context, and admin-side route
Why this verdict
- Start from the vendor's 6.3, not NVD's 9.8: the CNA vector includes
PR:L, and the PoC is aimed at the admin interface with an authenticated cookie context, so the vendor baseline is the right anchor. - Attacker position pushes this down: requiring authenticated remote access means this is usually post-initial-access, credential abuse, or session theft. That is compounding downward pressure versus any unauthenticated edge bug.
- Reachable population is narrow: Campcodes distributes this as a small PHP source-code project for XAMPP/LAMP-style installs, not as a mainstream enterprise control plane. Even vulnerable installs are unlikely to be numerous in large managed fleets.
- Impact is partial, not proven takeover: the public PoC demonstrates file read via
php://filter, which can leak source and secrets, but the reviewed sources do not prove code execution or full host compromise from this CVE alone. - Still not LOW because exploitation is cheap once inside: there is a public PoC, the bug is one parameter in a predictable admin route, and file disclosure can hand an attacker the next set of keys.
Why not higher?
This is not an unauthenticated internet-edge compromise in practice. The chain depends on prior authenticated access to an admin-side route, and the public evidence shows partial technical impact rather than demonstrated full-system takeover.
Why not lower?
Once the attacker has a valid session, exploitation is trivial and well-documented. Reading PHP source and config from a live web app can expose database credentials and make follow-on compromise much easier, so this is more than backlog lint.
05 · Compensating Control
What to do — in priority order.
- Put
/adminbehind a trust boundary — Restrict the admin/staff path to VPN, campus IP ranges, or a reverse proxy allowlist so the authenticated prerequisite becomes much harder to satisfy. For a MEDIUM verdict there is no noisgate mitigation SLA; do this in the next normal change window if the app must remain online. - Kill default and weak credentials — Reset any installer or demo credentials, enforce long unique passwords, and add MFA or SSO in front of the app if possible. This directly attacks the biggest exploit prerequisite; for MEDIUM, there is no noisgate mitigation SLA, but do not leave published sample credentials in production.
- Add a WAF or proxy rule for
page=abuse — Block requests wherepagecontainsphp://,.., absolute paths, URL-encoded traversal, or wrapper syntax. This is a practical shield for internet-exposed instances while you decide whether to locally patch or retire the app; for MEDIUM, there is no noisgate mitigation SLA. - Locally harden the include logic — Replace dynamic include-from-user-input with a strict allowlist of valid page names, or map routes to known files server-side. Because no vendor-fixed version was located, this may be your actual remediation path within the 365-day window.
- Monitor for wrapper and traversal indicators — Alert on
php://filter,convert.base64-encode, suspiciouspage=values, and repeated requests to/admin/index.php. This will not prevent exploitation, but it gives you a chance to catch active probing and credential abuse.
What doesn't work
- Relying on internal-only placement alone doesn't help if the threat model includes stolen staff credentials or a foothold on the school network.
- Generic EDR on the web host won't reliably stop the initial exploit because the first-stage action is an application-level file read through normal PHP execution.
- Assuming NVD's
9.8means 'drop everything' is the wrong control decision here; the real limiter is authenticated reachability, not raw bug class.
06 · Verification
Crowdsourced verification payload.
Run this on the target web server or against a mounted application directory, not from an auditor workstation. Invoke it as sudo bash check-cve-2025-0211.sh /var/www/html/school-faculty-scheduling-system and provide a path to the application root; it only needs read access to the code tree.
#!/usr/bin/env bash
# check-cve-2025-0211.sh
# Detects the vulnerable include pattern for CVE-2025-0211 in Campcodes School Faculty Scheduling System.
# Usage: bash check-cve-2025-0211.sh /path/to/app
# Exit codes:
# 0 = PATCHED
# 1 = VULNERABLE
# 2 = UNKNOWN / error
set -u
APP_ROOT="${1:-}"
if [[ -z "$APP_ROOT" ]]; then
echo "UNKNOWN: missing application path argument"
exit 2
fi
TARGET="$APP_ROOT/admin/index.php"
if [[ ! -f "$TARGET" ]]; then
echo "UNKNOWN: file not found: $TARGET"
exit 2
fi
# Normalize line endings for matching.
CONTENT="$(tr -d '\r' < "$TARGET")"
# Strong indicator from the published PoC.
HAS_PAGE_ASSIGN=0
HAS_UNSAFE_INCLUDE=0
HAS_ALLOWLIST_HINT=0
if printf '%s' "$CONTENT" | grep -Eq "\$page *= *isset\(\$_GET\['page'\]\) *\? *\$_GET\['page'\] *: *'home'"; then
HAS_PAGE_ASSIGN=1
fi
if printf '%s' "$CONTENT" | grep -Eq "include[[:space:]]+\$page[[:space:]]*\.[[:space:]]*'\.php'"; then
HAS_UNSAFE_INCLUDE=1
fi
# Simple signs of local hardening.
if printf '%s' "$CONTENT" | grep -Eqi "in_array\(|switch[[:space:]]*\(|case[[:space:]]+'|preg_match\(|realpath\(|basename\("; then
HAS_ALLOWLIST_HINT=1
fi
if [[ $HAS_PAGE_ASSIGN -eq 1 && $HAS_UNSAFE_INCLUDE -eq 1 ]]; then
echo "VULNERABLE: unsafe user-controlled include pattern present in $TARGET"
exit 1
fi
if [[ $HAS_ALLOWLIST_HINT -eq 1 ]]; then
echo "PATCHED: unsafe include pattern not found and hardening indicators are present in $TARGET"
exit 0
fi
if printf '%s' "$CONTENT" | grep -Eq "\$_GET\['page'\]|\$_REQUEST\['page'\]"; then
echo "UNKNOWN: page parameter handling exists, but the exact published vulnerable pattern was not matched"
exit 2
fi
echo "PATCHED: published vulnerable include pattern not found in $TARGET"
exit 0
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: find any Campcodes School Faculty Scheduling System instances, especially internet-exposed ones, and decide whether they are real business apps or disposable long-tail PHP projects. Because this lands at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window unless the app is externally exposed and using weak/default auth, in which case put
/admin behind a trust boundary in the next change window. Under the noisgate remediation SLA, either locally fix the include logic or retire the application within 365 days; since no vendor patch was located, 'waiting for the update' is not a plan.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.