CVE-2025-25388
Published: 13 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25388, published on 2025-02-13, is a SQL injection vulnerability (CWE-89) affecting the /admin/edit-propertytype.php component in PHPGurukul Land Record System version 1.0. The issue arises from improper handling of the editid GET request parameter, enabling remote attackers to inject malicious SQL payloads. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the affected endpoint. Successful exploitation allows execution of arbitrary code, granting high-impact access to confidentiality, integrity, and availability of the system, such as data exfiltration, alteration, or denial of service.
A detailed writeup of the vulnerability is available at https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Land%20record/SQL%20Injection%20p%20editid.pdf, which may provide further technical insights, though no specific patches or official mitigation guidance from the vendor is detailed in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/admin/edit-propertytype.php) enables remote attackers to execute arbitrary code via editid parameter, directly facilitating exploitation of public-facing applications.