CVE-2025-2380
Published: 17 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2380 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting PHPGurukul Apartment Visitors Management System version 1.0. The issue occurs in the processing of the /admin-profile.php file, where manipulation of the 'mobilenumber' argument enables SQL injection attacks. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized reading or modification of data and potential service disruption through injected SQL queries.
Advisories and exploit details are documented in references including VulDB entries (ctiid.299879, id.299879, submit.515873), a GitHub issue at github.com/aionman/cve/issues/1, and the vendor site phpgurukul.com. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing /admin-profile.php enables exploitation of public-facing applications (T1190), server software component abuse (T1505 as noted in advisory), and data collection from databases (T1213.006) via arbitrary SQL query execution.