CVE-2025-1857
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1857 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Nipah Virus Testing Management System 1.0. The flaw affects an unknown functionality within the file /check_availability.php, where manipulation of the employeeid argument enables SQL code injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-03.
The vulnerability is remotely exploitable by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service depending on the database backend.
Advisories and additional details are available in references including https://github.com/panghuanjie/Code-audits/issues/1, https://vuldb.com/?ctiid.298125, https://vuldb.com/?id.298125, https://vuldb.com/?submit.506120, and https://phpgurukul.com/. A public exploit has been disclosed and may be in use.
The exploit disclosure heightens the risk for exposed instances of this management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing /check_availability.php endpoint enables exploitation of a public-facing application (T1190) and unauthorized collection of data from databases (T1213.006).