CVE-2025-2473
Published: 18 March 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-2473 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Company Visitor Management System 2.0. The flaw resides in an unknown functionality of the /index.php file within the Sign In component, where manipulation of the username argument triggers the injection. Published on 2025-03-18, it carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.
Advisories provide further details via VulDB entries (ctiid.299966, id.299966, submit.517266) and a GitHub vulnerability report (l8BL/vul_report/issues/2), with the vendor site at phpgurukul.com. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application login enables exploitation (T1190), database data collection via arbitrary queries (T1213.006), and data destruction such as dropping tables (T1485).