Cyber Posture

CVE-2025-1856

HighPublic PoC

Published: 03 March 2025

Published
03 March 2025
Modified
24 June 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0019 40.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-1856 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System version 1.0. The flaw resides in an unknown functionality of the file /dashboard/admin/gen_invoice.php, where manipulation of the "id" argument triggers the injection. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.

Advisories and details are available via VulDB entries (https://vuldb.com/?ctiid.298124, https://vuldb.com/?id.298124, https://vuldb.com/?submit.506107), with a public exploit disclosed on GitHub (https://github.com/smartttt1/CVE/blob/main/CVE_1.md).

The exploit has been publicly disclosed and may be actively used against vulnerable instances.

Details

CWE(s)
CWE-74CWE-89

Affected Products

codezips
gym management system
1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in public-facing web application (/dashboard/admin/gen_invoice.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and data collection from databases (T1213.006).

References