CVE-2025-0532
Published: 17 January 2025
Summary
CVE-2025-0532 is a medium-severity Injection (CWE-74) vulnerability in Codezips Gym Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and neutralization of untrusted inputs like the m_id parameter in the vulnerable PHP endpoint.
Mandates identification, reporting, and timely remediation of flaws such as this publicly disclosed SQL injection vulnerability through patching or code correction.
Facilitates proactive detection of SQL injection vulnerabilities like CVE-2025-0532 via automated scanning of web applications and hosted systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/dashboard/admin/new_submit.php) enables exploitation of public-facing applications (T1190), abuse of server software components for execution (T1505 as noted in advisory), and unauthorized data collection from databases (T1213.006) via arbitrary SQL queries.
NVD Description
A vulnerability was found in Codezips Gym Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /dashboard/admin/new_submit.php. The manipulation of the argument m_id leads to sql injection. It is possible to launch…
more
the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0532 is a critical SQL injection vulnerability in Codezips Gym Management System version 1.0. The issue affects an unknown function within the file /dashboard/admin/new_submit.php, where manipulation of the m_id argument enables the injection. It is remotely exploitable and has been assigned a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), with associated CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). The vulnerability was published on 2025-01-17.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access, modification, or disruption of database operations through the injected SQL payload.
Advisories referenced in sources like VulDB and a GitHub issue (TIANN0/CVE #1) disclose the vulnerability details and proof-of-concept exploit, which has been made public and may be actively used by attackers. No specific patches or mitigation steps are detailed in the available references.
Details
- CWE(s)