CVE-2025-2386
Published: 17 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-2386 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Local Services Search Engine Management System version 1.0. The issue affects the processing of the /serviceman-search.php file, where manipulation of the "location" argument enables SQL injection. Published on 2025-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers can exploit this vulnerability without authentication or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the affected application.
Advisories and additional details are documented in references such as https://github.com/aionman/cve/issues/7, https://phpgurukul.com/, https://vuldb.com/?ctiid.299885, https://vuldb.com/?id.299885, and https://vuldb.com/?submit.516546. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web application enables remote exploitation (T1190), arbitrary data collection from databases (T1213.006), and stored data manipulation including tampering (T1565.001).