CVE-2025-0211

MediumPublic PoC

Published: 04 January 2025

Published

04 January 2025

Modified

10 January 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0008 23.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

Security Summary

CVE-2025-0211 is a critical vulnerability in the Campcodes School Faculty Scheduling System version 1.0, affecting an unknown functionality within the /admin/index.php file. The issue arises from manipulation of the "page" argument, leading to file inclusion, specifically classified under CWE-73 (External Control of File Name or Path) and NVD-CWE-Other. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on January 4, 2025.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially enabling unauthorized file access or inclusion depending on the system's configuration.

Advisories from VulDB (ctiid.290156, id.290156, submit.474115) document the issue, and a proof-of-concept exploit is publicly available on GitHub at shaturo1337/POCs/blob/main/LFI%20in%20School%20Faculty%20Scheduling%20System.md. The vendor's site at campcodes.com provides context on the affected software, though specific patch details are not outlined in the referenced sources.

The exploit has been disclosed to the public and may be used in attacks.

Details

CWE(s): CWE-73NVD-CWE-Other

Affected Products

campcodes

school faculty scheduling system

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

The LFI vulnerability (CVE-2025-0211) in the public-facing /admin/index.php enables exploitation of a public-facing application (T1190). It facilitates reading arbitrary local files for data from local system (T1005), file and directory discovery (T1083), and extracting credentials from files (T1081) such as source code and configs.

References

https://github.com/shaturo1337/POCs/blob/main/LFI%20in%20School%20Faculty%20Scheduling%20System.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.290156
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.290156
Third Party Advisory · cna@vuldb.com
https://vuldb.com/?submit.474115
Third Party Advisory · cna@vuldb.com
https://www.campcodes.com/
Product · cna@vuldb.com