CVE-2025-2051
Published: 07 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2051 is a critical SQL injection vulnerability affecting PHPGurukul Apartment Visitors Management System version 1.0. The flaw exists in unknown code within the file /search-visitor.php, where manipulation of the 'searchdata' argument enables SQL injection. Published on 2025-03-07, it is associated with CWEs-74 and CWE-89, and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability due to its network accessibility, low complexity, and lack of required user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories and further details are available via VulDB entries (https://vuldb.com/?ctiid.298804, https://vuldb.com/?id.298804, https://vuldb.com/?submit.514191), a GitHub issue (https://github.com/guttlefish/vul/issues/9), and the vendor site (https://phpgurukul.com/). The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in /search-visitor.php enables exploitation of a public-facing web application (T1190), abuse of server software components (T1505 per advisory), and arbitrary data collection from databases (T1213.006).