CVE-2025-2057
Published: 07 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2057 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Emergency Ambulance Hiring Portal 1.0. The flaw resides in an unknown function within the file /admin/about-us.php, where manipulation of the "pagedes" argument triggers the injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-07.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access, modification, or disruption of database operations via injected SQL payloads.
Advisories on VulDB (ctiid.298812, id.298812) and a GitHub issue (12T40910/CVE/issues/5) detail the vulnerability, with the proof-of-concept exploit publicly disclosed and available for use. The vendor site phpgurukul.com is referenced, but no patches or specific mitigations are outlined in the provided information.
The exploit has been made public, increasing the risk of active exploitation against unpatched instances of the portal.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability enables exploitation of public-facing web applications (T1190), server software components as noted in advisory (T1505), and collection from databases via unauthorized queries (T1213.006).