CVE-2025-25387
Published: 13 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25387 is a SQL injection vulnerability in the /admin/manage-propertytype.php component of PHPGurukul Land Record System version 1.0. The flaw allows remote attackers to execute arbitrary code by injecting malicious payloads into the propertytype POST request parameter. Published on 2025-02-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.
Attackers with high privileges, such as administrative access, can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, including arbitrary code execution on the affected system.
References point to GitHub writeups documenting the SQL injection issue in PHPGurukul Land Record System, including a PDF detailing the vulnerability. No specific patch or mitigation guidance is outlined in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/admin/manage-propertytype.php) allows remote arbitrary code execution via POST parameter, directly enabling exploitation of public-facing applications.