Cyber Posture

CVE-2025-2679

HighPublic PoC

Published: 24 March 2025

Published
24 March 2025
Modified
04 June 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0006 17.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-2679 is a critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0. The flaw resides in an unknown function within the file /contact-us.php, where manipulation of the pagetitle argument enables SQL injection. Published on 2025-03-24, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 and 89.

The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via injected SQL queries.

Advisories and additional details are documented in references such as https://github.com/ARPANET-cyber/CVE/issues/8, https://phpgurukul.com/, https://vuldb.com/?ctiid.300696, https://vuldb.com/?id.300696, and https://vuldb.com/?submit.521447. The exploit has been publicly disclosed and may be actively used.

Details

CWE(s)
CWE-74CWE-89

Affected Products

phpgurukul
bank locker management system
1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The remote unauthenticated SQL injection in a public-facing web application (/contact-us.php) directly enables exploitation of the vulnerable system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References