CVE-2025-2372
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2372 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in PHPGurukul Human Metapneumovirus Testing Management System version 1.0. The flaw affects the Password Recovery Page component, specifically the file /password-recovery.php, where manipulation of the 'username' argument enables SQL injection. Published on 2025-03-17, it carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by unauthenticated attackers with low attack complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the application's database.
Advisories referenced in VULDB entries (ctiid.299871, id.299871, submit.515389), a GitHub issue at SECWG/cve/issues/5, and the vendor site phpgurukul.com document the issue, with the exploit publicly disclosed and available for use. No specific patch or mitigation details are outlined in the core disclosure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote SQL injection in public-facing web application password recovery page enables exploitation of public-facing application (T1190) and collection of data from backend databases (T1213.006).