CVE-2025-2664
Published: 23 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2664 is a critical SQL injection vulnerability in CodeZips Hospital Management System version 1.0, published on 2025-03-23. The issue affects an unknown functionality within the file /suadpeted.php, where manipulation of the ID argument enables SQL injection. It is associated with CWE-74 (improper neutralization of special elements) and CWE-89 (SQL injection), with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H), requiring network access and low complexity with no user interaction needed. Successful exploitation allows limited impacts: low confidentiality (C:L) via potential data exposure, low integrity (I:L) through data modification, and low availability (A:L) disruption.
Advisories from VulDB and a related GitHub repository detail the vulnerability, confirming the SQL injection via the ID parameter in /suadpeted.php. The exploit has been publicly disclosed in the GitHub document "SQL_Injection_in_Hospital_Management_System.md" and may be actively used by attackers.
Notable context includes the public availability of the exploit, increasing the risk for unpatched instances of this hospital management system. No evidence of widespread real-world exploitation is specified in the available data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web application (/suadpeted.php) enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006).