CVE-2025-2680
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2680 is a critical SQL injection vulnerability in PHPGurukul Bank Locker Management System version 1.0. The issue affects an unknown functionality in the file /edit-assign-locker.php?ltid=1, where manipulation of the 'mobilenumber' argument enables SQL injection. Associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-03-24.
The vulnerability allows remote attackers to exploit it without authentication or user interaction, requiring only network access and low attack complexity. Successful exploitation via the injectable 'mobilenumber' parameter can result in limited impacts to confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the affected application.
Advisories and details are available from sources including VulDB (ctiid.300697, id.300697, submit.521448), a GitHub issue at ARPANET-cyber/CVE/issues/9, and the vendor site phpgurukul.com. No specific patch or mitigation steps are detailed in the primary disclosure.
The exploit has been publicly disclosed and may be actively used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a public-facing PHP web application (edit-assign-locker.php) allows unauthenticated remote exploitation over the network, directly mapping to T1190 Exploit Public-Facing Application for initial access with limited C/I/A impact.