← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-0212 · CWE-74 · Disclosed 2025-01-04

A vulnerability was found in Campcodes Student Grading System 1

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a spare key left inside a locked office, not a crowbar through the front door

CVE-2025-0212 is an SQL injection in Campcodes Student Grading System 1.0, specifically in /view_students.php where the id parameter is interpolated into a MySQL query without sanitization. The CNA record and PoC both point to version 1.0; no authoritative fixed version was published in the sources reviewed, and the vulnerable code path appears tied to the student-view workflow in the PHP application.

The vendor/CNA MEDIUM is closer to reality than NVD's later 9.8 CRITICAL enrichment. The decisive friction is privilege requirement: the CNA score says PR:L, the PoC workflow points at an authenticated student-management page, and the product itself is a niche downloadable PHP project rather than a broadly exposed enterprise platform. Public exploit code exists, but this is still mostly a post-login data-layer abuse problem with limited population and partial impact.

"Public PoC aside, this is a niche, authenticated SQLi with narrow real-world reach—not a fire drill unless you actually run it."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into the app with low privileges

The attacker first needs a valid application session for the grading system, likely using a student/staff/admin account depending on how the deployment mapped access to the Students workflow. Typical operator tooling here is a browser or Burp Suite; nothing exotic is required once credentials exist.
Conditions required:
  • Target organization actually runs Campcodes Student Grading System 1.0
  • Attacker can reach the web app over the network
  • Attacker has valid low-privileged credentials or equivalent session access
Where this breaks in practice:
  • This is a niche PHP/MySQL source-code project, not a mainstream enterprise product
  • Many deployments will be lab, school-project, or internal-only rather than internet-exposed
  • Credential requirement implies either prior compromise, credential reuse, or insider access
Detection/coverage: External scanners may flag the CVE by version/CPE, but reliable exploitation detection usually needs web logs, WAF telemetry, or code review because the endpoint is application-specific.
STEP 02

Reach the vulnerable student-view endpoint

Using Burp Repeater, curl, or a browser, the attacker sends a POST to /grading/view_students.php and controls the id parameter. The published PoC shows a same-origin AJAX-style request tied to the Students page workflow.
Conditions required:
  • Authenticated session remains valid
  • The view_students.php route is exposed in the deployed application
  • The vulnerable file has not been locally modified by the operator
Where this breaks in practice:
  • Custom local pathing or access-control wrappers can block direct endpoint access
  • Some deployments may hide the route behind role checks or internal-only access
  • Reverse proxies/WAFs can disrupt obvious SQLi payloads
Detection/coverage: Good WAF signatures and verbose PHP/Apache logs can spot suspicious id= payloads, especially UNION/error-based probes. Generic authenticated web scans may miss it without valid credentials.
STEP 03

Exploit the SQL injection

The PoC uses a UNION-based payload against id, and sqlmap would likely automate enumeration if the endpoint behavior is stable. Because the code concatenates $_POST['id'] directly into a query, an attacker can read database content and potentially alter records depending on the database account's privileges.
Conditions required:
  • Input is unsanitized as shown in the PoC
  • Backend database returns exploitable query behavior
  • Database user has useful read and possibly write privileges
Where this breaks in practice:
  • Column count/type alignment may need tuning for reliable UNION exploitation
  • Parameterized local hotfixes or mysqli wrappers would kill the bug outright
  • Least-privilege DB accounts can sharply reduce write/destructive impact
Detection/coverage: DAST with authenticated context should find this. DB logs, WAF alerts, and anomalous query patterns are the best runtime signals.
STEP 04

Abuse academic records or exfiltrate data

Most realistic outcomes are reading student records, enumerating users, or tampering with grade-related data in the application database. Weaponized operators would use sqlmap, manual UNION SELECTs, or follow-on credential harvesting from database contents rather than pursuing full host takeover from this bug alone.
Conditions required:
  • Database contains sensitive student/user data
  • DB account privileges allow the chosen action
  • Organization relies on the app for real records rather than a test dataset
Where this breaks in practice:
  • Impact is usually bounded to the application's database and trust zone
  • No evidence reviewed shows widespread chaining to RCE or mass exploitation
  • If this is a demo or training deployment, business impact may be low despite technical exploitability
Detection/coverage: Look for unexpected bulk reads, grade changes, anomalous admin actions after low-priv logins, and database access spikes from the web tier.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence of active exploitation found in reviewed sources. Not listed in CISA KEV.
Proof-of-concept availabilityYes. Public GitHub PoC by John Alan Correche / shaturo1337 shows a crafted POST to /grading/view_students.php with UNION-based injection.
EPSS0.00097 from the user-supplied intel block, which is extremely low and consistent with a niche-product, low-observation vulnerability.
KEV statusNo. Reviewed against the CISA KEV catalog. No addition date or due date because it is not cataloged.
CVSS disagreementCNA/VulDB scores it 6.3 MEDIUM with PR:L; NVD later enriched it to 9.8 CRITICAL with PR:N. The public PoC and the endpoint context make the CNA assessment more credible for operational prioritization.
Affected versionsCampcodes Student Grading System 1.0 per CVE/OpenCVE/NVD records.
Fixed versionNo authoritative patched version was published in the reviewed sources. Treat as no vendor fix identified unless you have a local code patch.
Exposure populationNo product-specific Shodan/Censys fingerprints or public census data were found in search results. Practical exposure is likely small and hard to enumerate, which pushes severity down.
Disclosure datePublished 2025-01-04; CNA timeline shows advisory disclosed on 2025-01-03.
Researcher / reporterReported in the CNA record as John Correche (VulDB User); the public PoC is attributed to John Alan Correche.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (5.0/10)

The single biggest downward pressure is that this appears to require authenticated access to a niche web application, which makes it a post-initial-access or insider-abuse bug in most real deployments. Public PoC raises confidence that the flaw is real, but low EPSS, no KEV listing, and a very small likely exposed population keep it out of the urgent patch-now buckets.

HIGH Technical existence of the SQL injection
MEDIUM Privilege requirement being low-priv authenticated rather than unauthenticated
HIGH Operational downgrade versus NVD's CRITICAL enrichment

Why this verdict

  • Auth requirement cuts the blast radius hard: CNA scores PR:L, and the PoC context points to the Students workflow rather than a public unauthenticated endpoint. That means attacker position is *authenticated remote*, which usually implies prior compromise, credential theft, or insider access.
  • Population is narrow: this is a downloadable Campcodes PHP/MySQL project, not Exchange, Fortinet, or Confluence. The fraction of enterprises with this exact product exposed is likely tiny, so vendor-medium is already a ceiling in most fleets.
  • Public exploit code is real but not enough to upgrade: a GitHub PoC exists, which removes doubt about exploitability and prevents a downgrade to LOW. But CISA ADP also marks exploitation as poc and automatable: no, which is a long way from mass exploitation pressure.
  • Impact looks partial, not domain-wide: the likely damage is app-database read/write within the grading system. That's serious for the affected school or department, but it is not the same as pre-auth RCE on an internet edge appliance.
  • NVD's 9.8 is not a good operations baseline here: NVD changed the vector to PR:N/C:H/I:H/A:H, but the source record, reference tagging, and PoC context support lower privileges and lower practical impact.

Why not higher?

There is no reviewed evidence of KEV listing, active campaigns, ransomware use, or broad internet exposure. More importantly, the most plausible path requires authenticated access to a niche app, which compounds downward: prior access + specific product + specific endpoint + app-bounded impact.

Why not lower?

This is still a real SQL injection with public exploit material and plausible confidentiality/integrity impact against live student data. If your organization actually runs this application, especially internet-facing, it is too actionable to dismiss as backlog noise.

05 · Compensating Control

What to do — in priority order.

  1. Restrict exposure — Put the grading app behind VPN, campus IP allowlists, or an identity-aware proxy so the vulnerable endpoint is not broadly reachable. For a MEDIUM verdict there is no mitigation SLA, but do this opportunistically as the highest-value risk reducer if the app is still exposed.
  2. Enforce strong auth on all app accounts — Because the decisive friction is authenticated access, tighten passwords, disable stale student/staff accounts, and add SSO/MFA in front of the app where possible. There is no mitigation SLA — go straight to the 365-day remediation window, but auth hardening is the best compensating control when no vendor fix is published.
  3. Add a WAF rule for view_students.php — Create targeted blocking or alerting for SQL metacharacters and UNION/error-based payloads on the id POST parameter to /grading/view_students.php. Use this as a temporary containment layer where the app cannot be removed immediately.
  4. Reduce DB privileges — Ensure the PHP application's MySQL account has only the minimum rights needed; if it cannot write arbitrary tables, the integrity impact drops sharply. This is especially important when the source code cannot be patched centrally.
  5. Locally patch the query — If you own the code, replace string concatenation with prepared statements and validate id as an integer. Since no authoritative vendor fixed version was found, a local code fix may be the only realistic remediation path inside the 365-day window.
What doesn't work
  • Generic perimeter EDR does not stop a server-side SQLi in a PHP app before the query runs; this is an application/WAF/code problem.
  • TLS/HTTPS does not help; it protects the transport, not the unsafe SQL construction.
  • Relying on obscurity of the endpoint path does not work once an authenticated user or tester reaches the Students workflow.
  • Password rotation alone does not remove the flaw; it only makes the first prerequisite harder.
06 · Verification

Crowdsourced verification payload.

Run this on the target web server or on a mounted copy of the application source. Invoke it as bash check-cve-2025-0212.sh /var/www/html/grading/view_students.php or point it at the application root like bash check-cve-2025-0212.sh /var/www/html/grading. No root is required if the account can read the PHP source file.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2025-0212.sh
# Detects likely vulnerable Campcodes Student Grading System view_students.php SQLi pattern.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/error

set -u

TARGET="${1:-}"

if [[ -z "$TARGET" ]]; then
  echo "Usage: $0 <path-to-view_students.php|path-to-app-root>"
  exit 3
fi

resolve_file() {
  local input="$1"
  if [[ -f "$input" ]]; then
    echo "$input"
    return 0
  fi
  if [[ -d "$input" ]]; then
    local found
    found=$(find "$input" -type f -name 'view_students.php' 2>/dev/null | head -n 1)
    if [[ -n "$found" ]]; then
      echo "$found"
      return 0
    fi
  fi
  return 1
}

FILE=$(resolve_file "$TARGET") || {
  echo "UNKNOWN - could not locate view_students.php under: $TARGET"
  exit 2
}

# Normalize line endings for matching.
CONTENT=$(tr -d '\r' < "$FILE")

has_post_id=0
has_concat_query=0
has_student_query=0
has_prepared_stmt=0

if grep -Eq '\$_POST\s*\[\s*["\x27]id["\x27]\s*\]' <<< "$CONTENT"; then
  has_post_id=1
fi

if grep -Eq 'SELECT \* From student_info.*STUDENT_ID\s*=\s*\x27\$id\x27' <<< "$CONTENT"; then
  has_student_query=1
fi

if grep -Eq 'mysqli_query\s*\(.*STUDENT_ID\s*=\s*\x27\$id\x27' <<< "$CONTENT"; then
  has_concat_query=1
fi

if grep -Eqi 'prepare\s*\(|bind_param\s*\(' <<< "$CONTENT"; then
  has_prepared_stmt=1
fi

if [[ $has_post_id -eq 1 && $has_concat_query -eq 1 && $has_student_query -eq 1 && $has_prepared_stmt -eq 0 ]]; then
  echo "VULNERABLE - unsafe POST id is concatenated into SQL in $FILE"
  exit 1
fi

if [[ $has_prepared_stmt -eq 1 ]]; then
  echo "PATCHED - prepared statement patterns present in $FILE"
  exit 0
fi

# If file exists but does not match the known vulnerable pattern, we cannot be certain.
echo "UNKNOWN - file found at $FILE but known vulnerable pattern was not confidently matched"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: first confirm whether anyone in your environment actually runs this Campcodes app, because most enterprises won't. If you do have it, treat it as a contained-but-real web-app flaw: there is no noisgate mitigation SLA — go straight to the 365-day remediation window for this MEDIUM finding, but if the app is internet-facing or used with live student data, front-load compensating controls now by restricting access and adding WAF coverage while you either locally patch the PHP query or retire the app. Because no authoritative vendor fixed version was found, use the noisgate remediation SLA as the deadline for code remediation or replacement rather than waiting for a nonexistent package update.

Sources

  1. NVD CVE-2025-0212
  2. OpenCVE record for CVE-2025-0212
  3. GitHub PoC: SQL Injection in Student Grading System
  4. Campcodes product page: Online Student Grading System in PHP MySQL
  5. CISA Known Exploited Vulnerabilities Catalog
  6. CVEDetails entry with EPSS display
  7. INCIBE-CERT reference for CVE-2025-0212
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.