CVE-2025-2740
Published: 25 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-2740 is a critical SQL injection vulnerability in PHPGurukul Old Age Home Management System 1.0. The issue affects an unknown function in the file /admin/eligibility.php, where manipulation of the pagetitle argument enables the injection. It is remotely exploitable and has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), with associated CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
Remote attackers without authentication prerequisites can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL payloads targeting the pagetitle parameter.
Advisories referenced in VulDB entries (ctiid.300762, id.300762, submit.524733) and a GitHub issue (guimo3/cve/issues/1) document the vulnerability, while the vendor site phpgurukul.com provides context on the affected software. No specific patches or mitigations are detailed in the available information.
The exploit has been publicly disclosed and may be actively used, as noted in the CVE description published on 2025-03-25.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web app (/admin/eligibility.php) enables exploitation of public-facing applications (T1190), data collection from databases via queries (T1213.006), and stored data manipulation/tampering (T1565.001).