CVE-2025-0211
Published: 04 January 2025
Summary
CVE-2025-0211 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Campcodes School Faculty Scheduling System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the LFI vulnerability by validating the manipulable 'page' argument in /admin/index.php to prevent external control of file names or paths.
Remediates the specific critical file inclusion flaw in Campcodes School Faculty Scheduling System 1.0 to eliminate the vulnerability.
Restricts the 'page' parameter inputs to approved values, blocking path traversal attempts that enable remote file inclusion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability (CVE-2025-0211) in the public-facing /admin/index.php enables exploitation of a public-facing application (T1190). It facilitates reading arbitrary local files for data from local system (T1005), file and directory discovery (T1083), and extracting credentials from files (T1081) such as source code and configs.
NVD Description
A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0211 is a critical vulnerability in the Campcodes School Faculty Scheduling System version 1.0, affecting an unknown functionality within the /admin/index.php file. The issue arises from manipulation of the "page" argument, leading to file inclusion, specifically classified under CWE-73 (External Control of File Name or Path) and NVD-CWE-Other. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on January 4, 2025.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity over the network. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially enabling unauthorized file access or inclusion depending on the system's configuration.
Advisories from VulDB (ctiid.290156, id.290156, submit.474115) document the issue, and a proof-of-concept exploit is publicly available on GitHub at shaturo1337/POCs/blob/main/LFI%20in%20School%20Faculty%20Scheduling%20System.md. The vendor's site at campcodes.com provides context on the affected software, though specific patch details are not outlined in the referenced sources.
The exploit has been disclosed to the public and may be used in attacks.
Details
- CWE(s)