CVE-2025-2626
Published: 22 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2626 is a SQL injection vulnerability (CWE-74, CWE-89) in SourceCodester Kortex Lite Advocate Office Management System 1.0, published on 2025-03-22. The flaw affects unknown code in the file edit_case.php, where manipulation of the ID argument enables SQL injection. Although described as critical, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is remotely exploitable by an attacker with low privileges (PR:L), requiring no user interaction or special conditions. Successful exploitation allows limited impacts: low confidentiality (C:L) via data exposure, low integrity (I:L) through data modification, and low availability (A:L) disruption.
Advisories from VulDB (ctiid.300628, id.300628, submit.519307) and a GitHub issue at Hefei-Coffee/cve/issues/16 detail the issue, with the vendor site at sourcecodester.com listed as a reference. The exploit has been publicly disclosed and may be in use.
Security practitioners should monitor deployments of this system, as public exploit availability increases real-world risk. No patch details are specified in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app (edit_case.php) enables exploitation of public-facing applications (T1190), server software component abuse for SQL execution (T1505 as noted in advisory), and data collection from databases via UNION/time-based queries (T1213.006).