CVE-2025-2351
Published: 16 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2351 is a SQL injection vulnerability classified as critical in DayCloud StudentManage 1.0. It affects unknown code within the /admin/adminScoreUrl file of the Login Endpoint component, where manipulation of the "query" argument enables the injection. The issue, linked to CWE-74 and CWE-89, carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-16.
The vulnerability is remotely exploitable by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL queries.
VulDB advisories, referenced at https://vuldb.com/?ctiid.299818, https://vuldb.com/?id.299818, and https://vuldb.com/?submit.512793, confirm the exploit has been publicly disclosed and may be in use. The product employs continuous delivery with rolling releases, providing no specific affected or patched version details; the vendor was notified early but has not responded.
The public disclosure of the exploit increases the risk of active exploitation against unpatched instances of DayCloud StudentManage 1.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The remote unauthenticated SQL injection in a public-facing web application (Login Endpoint) directly enables T1190 Exploit Public-Facing Application, allowing attackers to inject and execute arbitrary SQL queries for data access, modification, or disruption.