CVE-2025-0532

MediumPublic PoC

Published: 17 January 2025

Published

17 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0015 35.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-0532 is a critical SQL injection vulnerability in Codezips Gym Management System version 1.0. The issue affects an unknown function within the file /dashboard/admin/new_submit.php, where manipulation of the m_id argument enables the injection. It is remotely exploitable and has been assigned a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), with associated CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2025-01-17.

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access, modification, or disruption of database operations through the injected SQL payload.

Advisories referenced in sources like VulDB and a GitHub issue (TIANN0/CVE #1) disclose the vulnerability details and proof-of-concept exploit, which has been made public and may be actively used by attackers. No specific patches or mitigation steps are detailed in the available references.

Details

CWE(s): CWE-74CWE-89

Affected Products

codezips

gym management system

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (/dashboard/admin/new_submit.php) enables exploitation of public-facing applications (T1190), abuse of server software components for execution (T1505 as noted in advisory), and unauthorized data collection from databases (T1213.006) via arbitrary SQL queries.

References

https://github.com/TIANN0/CVE/issues/1
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.292416
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.292416
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.479100
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/TIANN0/CVE/issues/1
Exploit, Issue Tracking, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0