CVE-2025-2675
Published: 24 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2675 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Bank Locker Management System 1.0. The flaw resides in an unknown functionality of the /add-lockertype.php file, where manipulation of the 'lockerprice' argument enables SQL code injection. Published on 2025-03-24, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required. By sending crafted requests to the vulnerable endpoint, attackers can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality (e.g., data exposure), integrity (e.g., data modification), and availability (e.g., denial of service).
Advisories reference VulDB entries (ctiid.300692, id.300692, submit.521442) and the vendor site phpgurukul.com for details, along with a GitHub issue at ARPANET-cyber/CVE/issues/4 disclosing a public exploit. No specific patches or mitigations are detailed in the available information.
The exploit has been publicly disclosed and may be used against affected systems.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/add-lockertype.php) enables exploitation of public-facing applications (T1190) and server software components (T1505) for remote database manipulation, as explicitly mapped in the advisory.