Overview
The BeeS Examination Tool (BET) portal from BeeS Software Solutions contains an SQL injection vulnerability in its website login functionality. More than 100 universities use the BET portal for test administration and other academic tasks. The vulnerability enables arbitrary SQL commands to be executed on the back-end database, making an attacker able to manipulate the database, extract sensitive student data, and further compromise the host infrastructure. BeeS Software Solutions has since remediated the vulnerability, and no actions are necessary for customers at this time.
Description
Numerous universities implement the BET portal to unify the various tasks associated with administering examinations to students. Each university maintains their own instance of the BET portal, receiving updates from BeeS Software Solutions.
A vulnerability, tracked as CVE-2025-14598, was discovered within the login functionality of the portal. This vulnerability, facilitated by insufficient user input validation, enables arbitrary SQL injection. When exploited, an attacker can manipulate the backend database, steal student data (including credentials), and perform lateral movement, further compromising the host infrastructure.
BeeS Software Solutions issued a patch to all instances using the BET portal, changing code, enabling input validation, and changing various security settings to prevent exploitation and unauthorized access. All BET clients automatically received these changes.
Impact
The vulnerability permits an unauthenticated, remote attacker to achieve various results, including unauthorized database access, credential theft, potential lateral movement into infrastructure, acquisition of sensitive student and institutional data, and system-level access to the affected server.
Solution
No actions are needed by clients, as configurations and updated dynamic link libraries (DLLs) have been automatically installed and updated through ePortal : Secure Build (October 2025). Testing indicates that the changes successfully mitigated the vulnerability.
Acknowledgements
Thanks to the reporter, Mohammed Afnaan Ahmed, for reporting these vulnerabilities. This document was written by Christopher Cullen.
Vendor Information
Other Information
| CVE IDs: | CVE-2025-14598 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2026-01-09 |
| Date First Published: | 2026-01-09 |
| Date Last Updated: | 2026-01-09 12:15 UTC |
| Document Revision: | 1 |