CVE-2025-2665
Published: 23 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2665 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in PHPGurukul Online Security Guards Hiring System 1.0. The flaw affects an unknown part of the file /admin/bwdates-reports-details.php, where manipulation of the fromdate and todate arguments enables SQL injection. Published on 2025-03-23, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through injected SQL queries.
Advisories and further details are documented on VulDB (ctiid.300687, id.300687, submit.521167), a GitHub issue at i-Corner/cve/issues/1, and the vendor site phpgurukul.com. The exploit has been publicly disclosed and may be used by attackers.
In notable context, the public availability of the exploit increases the risk of real-world exploitation against unpatched instances of this hiring system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web app (/admin/bwdates-reports-details.php) enables initial access via public-facing app exploitation (T1190), server software component abuse (T1505 as noted in advisory), and database data collection (T1213.006) through arbitrary SQL query execution.