CVE-2025-2381
Published: 17 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2381 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Curfew e-Pass Management System 1.0. The flaw resides in an unknown function within the file /admin/search-pass.php, where manipulation of the 'searchdata' argument enables SQL code injection. Published on 2025-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious input for the 'searchdata' parameter, the attacker can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality (e.g., data disclosure), integrity (e.g., data modification), and availability (e.g., denial of service).
Advisories from VulDB (ctiid.299880, id.299880, submit.515896) and a GitHub issue (aionman/cve/issues/4) detail the vulnerability, with the vendor site at phpgurukul.com. No specific patches or mitigations are outlined in the provided references.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing web application /admin/search-pass.php enables initial access via exploitation of a public-facing application (T1190) and facilitates collection of data from databases (T1213.006) through arbitrary SQL query execution.