CVE-2025-2854
Published: 27 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2854 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Payroll Management System 1.0. It affects an unknown functionality within the file update_employee.php, where manipulation of the emp_type argument triggers the issue. The vulnerability, published on 2025-03-27, carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely.
A remote attacker with low privileges can exploit this vulnerability with low complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via SQL injection. The exploit has been publicly disclosed and may be used, with other parameters possibly affected as well.
Advisories and additional details, including potential exploit code, are referenced at sites such as https://code-projects.org/, https://github.com/hak0neP/cve/blob/main/sql-fizz.md, https://vuldb.com/?ctiid.301501, https://vuldb.com/?id.301501, and https://vuldb.com/?submit.522479. No specific patches or mitigations are detailed in the CVE description.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (update_employee.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 as noted in advisory), and collection from databases via arbitrary SQL queries (T1213.006).