CVE-2025-2676
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2676 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Bank Locker Management System 1.0. The issue resides in an unknown part of the file /add-subadmin.php, where manipulation of the sadminusername argument triggers the injection. It was published on 2025-03-24 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized SQL query execution depending on the database backend.
Advisories and further details, including submission records, are documented in references such as https://github.com/ARPANET-cyber/CVE/issues/5, https://vuldb.com/?ctiid.300693, https://vuldb.com/?id.300693, https://vuldb.com/?submit.521443, and the vendor site https://phpgurukul.com/. No specific patch details are outlined in the core description.
The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated web endpoint (/add-subadmin.php) directly enables remote exploitation of a public-facing application.