CVE-2025-2737
Published: 25 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2737 is a critical SQL injection vulnerability in PHPGurukul Old Age Home Management System 1.0. The issue resides in an unknown part of the file /admin/contactus.php, where manipulation of the pagetitle argument enables the injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 7.3.
The vulnerability is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required, per the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation grants limited access to confidential data, moderate integrity disruption, and low availability impact through SQL queries.
Advisories and further details are available in referenced sources, including a GitHub issue at https://github.com/X-X-007/cve/issues/1, the vendor site at https://phpgurukul.com/, and VULDB entries at https://vuldb.com/?ctiid.300759, https://vuldb.com/?id.300759, and https://vuldb.com/?submit.522898.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated SQL injection vulnerability in a public-facing PHP web application, directly enabling exploitation of public-facing applications for initial access and data manipulation via injected queries.