CVE-2025-2472
Published: 18 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2472 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Apartment Visitors Management System version 1.0. The issue resides in an unknown functionality of the /index.php file within the Sign In component, where manipulation of the "username" argument triggers the injection. Published on 2025-03-18, it carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low complexity and no user interaction. Exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories and details are available via VulDB entries (ctiid.299965, id.299965, submit.517264), a GitHub vulnerability report (l8BL/vul_report/issues/1), and the vendor site phpgurukul.com. The exploit has been publicly disclosed and may be actively used.
Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against exposed instances of this management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app login (/index.php) enables initial access via public-facing app exploitation (T1190), server software component abuse (T1505 as per VulDB), and data collection from databases (T1213.006) through arbitrary SQL queries for sensitive data retrieval.