CVE-2025-2973
Published: 31 March 2025
Description
Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting.
Security Summary
CVE-2025-2973 is a critical vulnerability in code-projects College Management System 1.0, affecting an unknown part of the file /Admin/student.php. The issue arises from manipulation of the profile_image argument, enabling unrestricted file upload. It was published on 2025-03-31 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), with associated CWEs CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Exploitation allows uploading arbitrary files, potentially compromising confidentiality, integrity, and availability to a low degree within the unchanged scope.
Advisories provide further details via VulDB entries (ctiid.302025, id.302025, submit.522478) and the vendor site at code-projects.org. A GitHub repository (hak0neP/cve/blob/main/cve-RCE.md) discloses the exploit publicly, indicating it may be used in attacks. No specific patches or mitigations are detailed in the CVE information.
The exploit disclosure heightens the risk for deployments of College Management System 1.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unrestricted file upload vulnerability in public-facing web application (/Admin/student.php) enables exploitation for initial access (T1190), deployment of web shells (T1505.003), and staging of malware/tools (T1608.001/.002), as confirmed by advisories noting RCE via uploaded Trojans.