CVE-2025-2736
Published: 25 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2736 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Old Age Home Management System 1.0. The flaw resides in unknown functionality of the file /admin/bwdates-report-details.php, where manipulation of the 'fromdate' argument triggers the injection. Other parameters might be affected as well. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-25.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can launch SQL injection attacks over the network with low complexity, potentially achieving low-level impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories from VulDB (ctiid.300758, id.300758, submit.522881) and a GitHub repository (404heihei/CVE/issues/1) document the issue, noting that an exploit has been publicly disclosed and may be used. The vendor site is phpgurukul.com.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web application (/admin/bwdates-report-details.php) enables exploitation of public-facing application (T1190), unauthorized database access and data collection (T1213.006), and abuse of server software/DB component (T1505) for data leakage, tampering, and potential control.