CVE-2025-2656
Published: 23 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2656 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Zoo Management System version 2.1. The flaw resides in an unknown function of the file /admin/login.php, where manipulation of the Username argument triggers the injection.
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Advisories from VulDB (ctiid.300672, id.300672) and a GitHub issue document the vulnerability, noting that an exploit has been publicly disclosed. The vendor's site at phpgurukul.com is referenced, though specific mitigation or patch details are not outlined in the available sources.
The exploit's public disclosure increases the risk of widespread abuse against exposed instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated /admin/login.php enables remote exploitation of a public-facing web application (T1190) and arbitrary database queries for data collection (T1213.006).