Cyber Resilience

CVE-2025-0211

MediumPublic PoC

Published: 04 January 2025

Published
04 January 2025
Modified
10 January 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 28.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0211 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Campcodes School Faculty Scheduling System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0211 is a critical vulnerability in the Campcodes School Faculty Scheduling System version 1.0, affecting an unknown functionality within the /admin/index.php file. The issue arises from manipulation of the "page" argument, leading to file inclusion, specifically classified under CWE-73 (External Control of File Name or Path) and NVD-CWE-Other. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on January 4, 2025.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially enabling unauthorized file access or inclusion depending on the system's configuration.

Advisories from VulDB (ctiid.290156, id.290156, submit.474115) document the issue, and a proof-of-concept exploit is publicly available on GitHub at shaturo1337/POCs/blob/main/LFI%20in%20School%20Faculty%20Scheduling%20System.md. The vendor's site at campcodes.com provides context on the affected software, though specific patch details are not outlined in the referenced sources.

The exploit has been disclosed to the public and may be used in attacks.

EU & UK References

Vulnerability details

A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may…

more

be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The LFI vulnerability (CVE-2025-0211) in the public-facing /admin/index.php enables exploitation of a public-facing application (T1190). It facilitates reading arbitrary local files for data from local system (T1005), file and directory discovery (T1083), and extracting credentials from files (T1081) such as source code and configs.

CVEs Like This One

CVE-2025-0210Same product: Campcodes School Faculty Scheduling System
CVE-2025-11079Same vendor: Campcodes
CVE-2026-0597Same vendor: Campcodes
CVE-2025-7220Same vendor: Campcodes
CVE-2025-7218Same vendor: Campcodes
CVE-2025-53912Shared CWE-73
CVE-2025-7219Same vendor: Campcodes
CVE-2025-7217Same vendor: Campcodes
CVE-2025-0213Same vendor: Campcodes
CVE-2025-0341Same vendor: Campcodes

Affected Assets

campcodes
school faculty scheduling system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the LFI vulnerability by validating the manipulable 'page' argument in /admin/index.php to prevent external control of file names or paths.

prevent

Remediates the specific critical file inclusion flaw in Campcodes School Faculty Scheduling System 1.0 to eliminate the vulnerability.

prevent

Restricts the 'page' parameter inputs to approved values, blocking path traversal attempts that enable remote file inclusion.

References