CVE-2025-0562

MediumPublic PoC

Published: 19 January 2025

Published

19 January 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0008 23.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0562 is a medium-severity Injection (CWE-74) vulnerability in Codezips Gym Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating the usrid parameter in health_status_entry.php against malicious input patterns.

SI-9 Information Input Restrictions good match

prevent

Restricts the usrid input to expected formats like integers, blocking SQL injection payloads before database processing.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification and patching of the specific SQL injection flaw in the Gym Management System.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (/dashboard/admin/health_status_entry.php) enables exploitation of public-facing applications (T1190), data collection from databases via arbitrary queries (T1213.006), and manipulation of stored data affecting CIA triad (T1565.001).

NVD Description

A vulnerability was found in Codezips Gym Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /dashboard/admin/health_status_entry.php. The manipulation of the argument usrid leads to sql injection. The attack may be initiated remotely.…

The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-0562 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System 1.0. The flaw affects the processing of the file /dashboard/admin/health_status_entry.php, where manipulation of the usrid argument enables SQL injection. Published on 2025-01-19, it carries a CVSS v3.1 base score of 6.3.

The vulnerability is remotely exploitable over the network with low complexity and no user interaction required, but it demands low privileges (PR:L) from the attacker. Exploitation can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope.

Advisories and further details, including the public exploit disclosure, are documented in references such as https://github.com/LiuSir5211314/-sir/issues/1, https://vuldb.com/?ctiid.292523, https://vuldb.com/?id.292523, and https://vuldb.com/?submit.484184. The exploit has been made publicly available and may be used by attackers.

Details

CWE(s): CWE-74 CWE-89

Affected Products

codezips

gym management system

1.0

CVEs Like This One

CVE-2025-0231Same product: Codezips Gym Management System

CVE-2025-1854Same product: Codezips Gym Management System

CVE-2025-1206Same product: Codezips Gym Management System

CVE-2025-0881Same product: Codezips Gym Management System

CVE-2025-1856Same product: Codezips Gym Management System

CVE-2025-0532Same product: Codezips Gym Management System

CVE-2025-0541Same product: Codezips Gym Management System

CVE-2025-1183Same product: Codezips Gym Management System

CVE-2025-0535Same product: Codezips Gym Management System

CVE-2025-1188Same product: Codezips Gym Management System

References

https://github.com/LiuSir5211314/-sir/issues/1
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.292523
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.292523
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.484184
Third Party Advisory, VDB Entry · cna@vuldb.com