CVE-2025-2374
Published: 17 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2374 is a critical SQL injection vulnerability in the PHPGurukul Human Metapneumovirus Testing Management System version 1.0. The flaw resides in the processing of the /profile.php file, where manipulation of the arguments aid, adminname, mobilenumber, or email enables injection attacks. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through injected SQL queries.
Advisories and references, including a GitHub issue from SECWG (https://github.com/SECWG/cve/issues/7), the vendor site (https://phpgurukul.com/), and VulDB entries (https://vuldb.com/?ctiid.299873, https://vuldb.com/?id.299873, https://vuldb.com/?submit.515429), document the issue and recent submission details, published on 2025-03-17.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/profile.php) enables exploitation of public-facing application (T1190), abuse of server software component (T1505 as noted in advisory), and data collection from databases via arbitrary SQL queries (T1213.006).