CVE-2025-1606
Published: 24 February 2025
Description
Adversaries may gather information about the victim's hosts that can be used during targeting.
Security Summary
CVE-2025-1606 is a problematic information disclosure vulnerability in SourceCodester Best Employee Management System 1.0, affecting unknown code within the file /admin/backup/backups.php. Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control), it has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The vulnerability was published on 2025-02-24 and enables remote manipulation leading to the exposure of sensitive data.
A remote attacker with low privileges (PR:L), such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation results in low-impact confidentiality loss, allowing the attacker to disclose information from the backups.php endpoint without affecting integrity or availability.
Advisories from VulDB (CTI ID 296596) and a public GitHub disclosure detail the vulnerability but note that the vendor was contacted early without any response or patch release. No official mitigation or patch is available from SourceCodester, and the exploit has been publicly disclosed, increasing the risk of active use.
The exploit proof-of-concept is available on GitHub, indicating potential for immediate exploitation in unpatched instances of the software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in /admin/backup/backups.php enables remote information disclosure, facilitating adversary reconnaissance to gather victim host information (T1592), as explicitly mapped in the VulDB advisory.