CVE-2025-2063
Published: 07 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2063 is a critical SQL injection vulnerability (CWE-74, CWE-89) in projectworlds Life Insurance Management System 1.0. The flaw resides in an unknown functionality of the file /deleteNominee.php, where manipulation of the nominee_id argument triggers the injection. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction. Exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via crafted SQL payloads targeting the nominee_id parameter.
Advisories referenced in VulDB entries (https://vuldb.com/?ctiid.298819, https://vuldb.com/?id.298819, https://vuldb.com/?submit.514749) and a GitHub issue (https://github.com/ubfbuz3/cve/issues/5) disclose a public exploit, but no patches or specific mitigations are detailed in the available information. The exploit has been publicly released and may be actively used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/deleteNominee.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and data collection from databases (T1213.006) via arbitrary SQL query execution.