CVE-2025-28087

CriticalPublic PoC

Published: 28 March 2025

Published

28 March 2025

Modified

07 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-28087 is a SQL injection vulnerability (CWE-89) in Sourcecodester Online Exam System 1.0, exploitable via the dash.php component. Published on 2025-03-28T22:15:17.717, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

Remote attackers require only network access and can exploit the vulnerability with low attack complexity, no privileges, and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing arbitrary SQL query execution against the underlying database.

Advisories with further details, including potential mitigation guidance, are available at https://www.yuque.com/morysummer/vx41bz/vxhdpdeavzvtvdqq.

Details

CWE(s): CWE-89

Affected Products

nayem-howlader

online exam system

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app (dash.php) directly matches T1190 for remote exploitation of public-facing applications without auth.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.yuque.com/morysummer/vx41bz/vxhdpdeavzvtvdqq
Exploit, Third Party Advisory · cve@mitre.org
https://www.yuque.com/morysummer/vx41bz/vxhdpdeavzvtvdqq
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0