Cyber Posture

CVE-2025-2735

HighPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
15 May 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0010 27.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-2735 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Old Age Home Management System 1.0. It affects an unknown functionality within the file /admin/add-services.php, where manipulation of the "sertitle" argument enables SQL injection. The issue was published on 2025-03-25 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL commands.

Advisories and details are available via VulDB entries (https://vuldb.com/?ctiid.300757, https://vuldb.com/?id.300757, https://vuldb.com/?submit.522266), the vendor site (https://phpgurukul.com/), and a public exploit disclosure (https://github.com/0xabandon/CVE/issues/2). The exploit has been disclosed to the public and may be used.

Details

CWE(s)
CWE-74CWE-89

Affected Products

phpgurukul
old age home management system
1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

Unauthenticated remote SQL injection in public-facing web application (/admin/add-services.php) enables exploitation of public-facing applications (T1190), abuse of server software components such as databases (T1505), and collection of data from databases via tools like sqlmap (T1213.006).

References