CVE-2025-2847
Published: 27 March 2025
Description
Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors.
Security Summary
CVE-2025-2847 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System 1.0. The flaw affects the processing of the file /dashboard/admin/over_month.php, where manipulation of the "mm" argument enables SQL injection.
Remote attackers with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation yields limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in the CVSS v3.1 base score of 6.3 (S:U).
VulDB advisories, including entries at https://vuldb.com/?ctiid.301493 and https://vuldb.com/?id.301493, detail the issue, noting that an exploit has been publicly disclosed and may be used against vulnerable instances. No patches are referenced in available information.
The public availability of the exploit elevates the risk for deployments of the affected Gym Management System.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in web application (/dashboard/admin/over_month.php) enables exploitation of public-facing applications (T1190) and abuse of server software components (T1505, specifically vSphere or general web app components like T1505.006), allowing unauthorized database access, manipulation, and potential compromise as noted in advisories.