CVE-2025-2373
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2373 is a critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System 1.0. The flaw affects unknown code in the /check_availability.php file, where manipulation of the mobnumber or employeeid arguments enables SQL injection. Published on 2025-03-17, it is associated with CWE-74 and CWE-89.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Remote attackers with low privileges can exploit it over the network with low complexity and no user interaction required, potentially achieving low impacts on confidentiality, integrity, and availability via SQL injection.
Advisories and further details, including potential mitigation guidance, are available in referenced sources such as https://github.com/SECWG/cve/issues/6, https://vuldb.com/?ctiid.299872, https://vuldb.com/?id.299872, and https://vuldb.com/?submit.515408. The exploit has been publicly disclosed and may be used.
The vendor site at https://phpgurukul.com/ provides context on the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in a public-facing web application (/check_availability.php) enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases via arbitrary SQL queries (T1213.006).