CVE-2025-25354
Published: 13 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25354 is a SQL injection vulnerability in the /admin/admin-profile.php component of PHPGurukul Land Record System version 1.0. The flaw allows remote attackers to execute arbitrary code by injecting malicious payloads via the contactnumber POST request parameter. It is classified under CWE-89 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers with high privileges, such as authenticated administrators, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables arbitrary code execution, resulting in high impacts on confidentiality, integrity, and availability within the application's scope.
References for this CVE include GitHub writeups at https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/SQL%20Injection%20contact.pdf, which document the SQL injection affecting the contactnumber parameter in PHPGurukul Land Record System. No specific patches or mitigation steps are detailed in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/admin/admin-profile.php) enables remote arbitrary SQL code execution, mapped to exploitation of public-facing applications.