CVE-2025-1167
Published: 11 February 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-1167 is a critical SQL injection vulnerability (CWE-74, CWE-89) in the Mayuri K Employee Management System up to version 192.168.70.3. The issue resides in an unknown functionality of the file /hr_soft/admin/Update_User.php, where manipulation of the "id" argument triggers the injection. Published on 2025-02-11, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by attackers possessing low privileges, requiring no user interaction and low attack complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection, potentially enabling unauthorized data access, modification, or disruption depending on the backend database privileges.
VulDB advisories provide further details, including submission and entry pages at https://vuldb.com/?ctiid.295070, https://vuldb.com/?id.295070, and https://vuldb.com/?submit.494725. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (/hr_soft/admin/Update_User.php) enables initial access via exploitation of public-facing application (T1190), abuse of server software component for execution or persistence (T1505 as assigned by VulDB), and collection from databases via arbitrary SQL queries (T1213.006).