Cyber Posture

CVE-2025-25349

CriticalPublic PoC

Published: 12 February 2025

Published
12 February 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-25349 is a SQL injection vulnerability (CWE-89) in PHPGurukul Daily Expense Tracker System version 1.1, specifically affecting the /dets/add-expense.php endpoint through the costitem parameter. Published on 2025-02-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation enables arbitrary SQL query execution, allowing attackers to read sensitive data, modify records, or disrupt database operations in the affected application.

Further technical details, including proof-of-concept information, are available in the referenced writeup at https://github.com/vkcyberexpert/CVE-Writeup/blob/main/PHPGurukul/Daily%20Expense%20Tracker%20System/SQL%20Injection%20item%20add-expense%20costitem%20parameter.pdf.

Details

CWE(s)
CWE-89

Affected Products

phpgurukul
daily expense tracker system
1.1

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web application (/dets/add-expense.php) enables initial access via exploitation (T1190) and data collection from databases (T1213.006).

References