CVE-2025-2641
Published: 23 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2641 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Art Gallery Management System version 1.0, published on 2025-03-23. The flaw resides in unknown functionality of the file /admin/edit-artist-detail.php?editid=1, where manipulation of the "Name" argument triggers the injection.
Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges (PR:N) or user interaction (UI:N), as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation enables low-level impacts on confidentiality, integrity, and availability through SQL injection.
Advisories and references, including VulDB entries (https://vuldb.com/?ctiid.300656, https://vuldb.com/?id.300656, https://vuldb.com/?submit.519768) and a GitHub issue (https://github.com/liuhao2638/cve/issues/2), document the issue, along with the vendor site (https://phpgurukul.com/). The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/admin/edit-artist-detail.php) enables exploitation of public-facing applications (T1190), data collection from databases via arbitrary SQL queries (T1213.006), and abuse of server software components (T1505, as noted in advisory).