CVE-2025-2683
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2683 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Bank Locker Management System 1.0, published on 2025-03-24. The issue resides in unknown code of the file /profile.php, where manipulation of the mobilenumber argument enables SQL injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers without authentication or user interaction can exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection techniques.
Advisories referenced in VulDB entries (https://vuldb.com/?ctiid.300700, https://vuldb.com/?id.300700, https://vuldb.com/?submit.521452) and a GitHub issue (https://github.com/ARPANET-cyber/CVE/issues/12) detail the flaw, while the vendor site (https://phpgurukul.com/) provides context on the software. The exploit has been publicly disclosed and may be used.
The vulnerability's public exploit availability heightens risk for exposed instances of this management system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web application (/profile.php) directly enables remote exploitation of the app via T1190.