CVE-2025-0846
Published: 30 January 2025
Summary
CVE-2025-0846 is a high-severity Injection (CWE-74) vulnerability in 1000Projects Employee Task Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of the email input parameter in AdminLogin.php to block SQL injection payloads.
Mandates timely identification, reporting, and correction of the SQL injection flaw in the Employee Task Management System.
Enables boundary protection devices like WAFs to monitor and block network traffic containing SQL injection attempts to the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in the unauthenticated /admin/AdminLogin.php endpoint of the public-facing Employee Task Management System web application enables remote attackers to execute arbitrary SQL queries (boolean-based blind and time-based blind), directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was found in 1000 Projects Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/AdminLogin.php. The manipulation of the argument email leads to sql injection. It is possible…
more
to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0846 is a critical SQL injection vulnerability affecting the 1000 Projects Employee Task Management System version 1.0. The flaw exists in an unknown part of the file /admin/AdminLogin.php, where manipulation of the email argument triggers the injection. It is associated with CWE-74 and CWE-89, and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can initiate the attack over the network with low complexity, potentially compromising low levels of confidentiality, integrity, and availability through arbitrary SQL queries.
VulDB advisories and a GitHub issue (onupset/CVE #4) document the vulnerability, noting that the exploit has been publicly disclosed and may be used. References include the project site at https://1000projects.org/ and VulDB entries at https://vuldb.com/?ctiid.294009, https://vuldb.com/?id.294009, and https://vuldb.com/?submit.485756. No patches or specific mitigations are detailed in the provided information.
Details
- CWE(s)