CVE-2025-0527
Published: 17 January 2025
Summary
CVE-2025-0527 is a high-severity Injection (CWE-74) vulnerability in Anisha Admission Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of the in_eml input parameter against expected format and content before database processing.
Requires identification, reporting, and correction of the specific SQL injection flaw in /signupconfirm.php, preventing exploitation post-remediation.
Vulnerability scanning detects SQL injection issues like CVE-2025-0527 in the application, enabling timely patching and prevention of exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/signupconfirm.php) enables initial access via exploitation (T1190) and data collection from databases through blind/error-based payloads extracting schema and content (T1213.006).
NVD Description
A vulnerability classified as critical was found in code-projects Admission Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /signupconfirm.php. The manipulation of the argument in_eml leads to sql injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Deeper analysisAI
CVE-2025-0527 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Admission Management System 1.0. The flaw resides in an unknown functionality of the file /signupconfirm.php, where manipulation of the in_eml argument enables SQL injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-17.
The vulnerability is remotely exploitable by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation via crafted in_eml payloads allows limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or disruption. Other parameters may also be affected.
Advisories and details are documented on VulDB (https://vuldb.com/?id.292411, https://vuldb.com/?ctiid.292411, https://vuldb.com/?submit.477899), a GitHub issue (https://github.com/Curious-L/-/issues/4), and the project site (https://code-projects.org/). No specific patches or mitigations are detailed in the CVE description.
The exploit has been publicly disclosed and may be used in the wild.
Details
- CWE(s)