CVE-2025-0802

HighPublic PoC

Published: 29 January 2025

Published

29 January 2025

Modified

10 February 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 19.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

Security Summary

CVE-2025-0802 is a critical vulnerability involving improper access controls in an unknown functionality of the /admin/View_user.php file within the Administrative Endpoint component of SourceCodester Best Employee Management System 1.0. Published on 2025-01-29, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control).

The vulnerability enables remote exploitation without requiring authentication, user interaction, or elevated privileges, allowing attackers with network access to manipulate the affected endpoint and bypass access controls. Successful exploitation can result in low-level impacts to confidentiality, integrity, and availability, potentially granting unauthorized access to administrative functions or sensitive user data.

Advisories referenced in VulDB entries (ctiid.293923, id.293923, submit.485005) and a GitHub repository (theanm0l/VulnDB) document the issue, with the exploit disclosed publicly and available for use; the vendor site at sourcecodester.com provides context on the software but no specific patch details are outlined in the available information.

The public disclosure of the exploit highlights increased risk for unpatched instances of this employee management system.

Details

CWE(s): CWE-266CWE-284NVD-CWE-noinfo

Affected Products

mayurik

best employee management system

1.0

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

T1531 Account Access Removal Impact

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

attack.mitre.org →

Why these techniques?

Unauthenticated remote access to /admin/View_user.php enables exploitation of public-facing application (T1190) and privilege escalation (T1068), allowing account discovery via user viewing (T1087), account creation (T1136), and account deletion/access removal (T1531).

References

https://github.com/theanm0l/VulnDB/blob/main/Improper%20Authorization.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.293923
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.293923
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.485005
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.sourcecodester.com/
Product · cna@vuldb.com