CVE-2025-2658
Published: 23 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2658 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Online Security Guards Hiring System 1.0. The flaw resides in an unknown functionality of the /search-request.php file, where manipulation of the searchdata argument triggers the injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-23.
Remote attackers require no privileges or user interaction to exploit this issue remotely. By injecting malicious payloads into the searchdata parameter, they can compromise the application's database, potentially extracting sensitive data, modifying records, or disrupting service availability, albeit with low impact levels across confidentiality, integrity, and availability.
Advisories from VulDB (ctiid.300674, id.300674, submit.520250) document the issue, while a public exploit disclosure appears in the GitHub repository zyb26252/CVE/issues/1. The vendor site phpgurukul.com is referenced, though specific patch details are not detailed in available sources. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/search-request.php) enables exploitation of public-facing application (T1190) and collection of data from backend databases via UNION-based and time-based techniques (T1213.006).