CVE-2025-57515
Published: 06 October 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-57515 is a SQL injection vulnerability (CWE-89) in Uniclare Student Portal v2. Published on 2025-10-06, the flaw enables remote attackers to inject arbitrary SQL commands via vulnerable input fields, including the execution of time-delay functions to infer database responses. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and high impacts across confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability without user interaction by targeting the affected input fields in the Student Portal. Exploitation leverages blind SQL injection techniques, such as time-based delays, to extract sensitive database information or potentially alter data, achieving the high-impact triad outlined in the CVSS metrics.
Details on exploitation, including a PDF report, are available in the GitHub repository at https://github.com/sanchitsahni/CVE-2025-57515/ and https://github.com/sanchitsahni/CVE-2025-57515/blob/main/Uniclare%20Student%20Portal%20v2.pdf. Security practitioners should review these references for any advisory-recommended mitigations or patches.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
T1190 directly matches exploitation of a public-facing web application via unauthenticated SQL injection. T1213.006 is facilitated by the ability to inject SQL for extracting sensitive database information.