School-management-system 1.0 unauthenticated SQL injection (CVE-2025-65135)

Patch now - CVE-2025-65135 is a critical SQL injection vulnerability in manikandan580 School-management-system version 1.0 that lets unauthenticated attackers extract the entire database, including user credentials and PII. With no official patch available, immediate network isolation is essential.

Overview

A critical security vulnerability has been identified in manikandan580 School-management-system version 1.0. Tracked as CVE-2025-65135, this flaw allows an unauthenticated attacker to perform a time-based blind SQL injection attack, potentially leading to a full compromise of the application’s database.

Vulnerability Details

The vulnerability is a time-based blind SQL injection located in the /studentms/admin/between-date-reprtsdetails.php file. It is exploitable through the fromdate POST parameter. An attacker can send specially crafted requests to this endpoint. By observing the time delays in the server’s responses, they can infer and extract sensitive information from the underlying database, such as user credentials, personal student information, and administrative details.

Impact and Severity

This vulnerability is rated CRITICAL with a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N). The high score is due to the attack being remotely executable over a network, requiring no user interaction, and needing no prior authentication. Successful exploitation could lead to a complete data breach, allowing attackers to steal all information stored within the application’s database. This could include sensitive personally identifiable information (PII), making it a significant compliance and privacy incident. For more on the consequences of data theft, see our breach reports.

Remediation and Mitigation

As of this advisory, the vendor has not released an official patch for School-management-system 1.0.

Immediate Mitigation Steps:

1. Network Isolation: Restrict network access to the application. Do not expose it directly to the internet. Place it behind a firewall or VPN, allowing access only to authorized users.
2. Web Application Firewall (WAF): Deploy a WAF in front of the application and configure rules to block SQL injection patterns targeting the affected endpoint.
3. Monitor and Audit: Closely monitor server logs for suspicious activity, particularly repeated POST requests to the /studentms/admin/between-date-reprtsdetails.php path with unusual fromdate parameters.
4. Consider Alternatives: Given the lack of a patch and the critical nature of the flaw, organizations should consider migrating to a supported and actively maintained school management platform.

Security Insight

This vulnerability highlights the persistent risk in niche, often unsupported, open-source web applications. Similar to many flaws cataloged in our security news, it stems from a fundamental lack of input sanitization-a basic security practice. Its presence in an administrative script suggests development occurred without a security-first mindset, a common pattern in projects where functionality is prioritized over secure coding principles, leaving deployers solely responsible for their own protection.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs