Cyber Resilience

CVE-2025-0846

Medium

Published: 30 January 2025

Published
30 January 2025
Modified
04 February 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 38.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0846 is a medium-severity Injection (CWE-74) vulnerability in 1000Projects Employee Task Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0846 is a critical SQL injection vulnerability affecting the 1000 Projects Employee Task Management System version 1.0. The flaw exists in an unknown part of the file /admin/AdminLogin.php, where manipulation of the email argument triggers the injection. It is associated with CWE-74 and CWE-89, and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation without authentication or user interaction. Attackers can initiate the attack over the network with low complexity, potentially compromising low levels of confidentiality, integrity, and availability through arbitrary SQL queries.

VulDB advisories and a GitHub issue (onupset/CVE #4) document the vulnerability, noting that the exploit has been publicly disclosed and may be used. References include the project site at https://1000projects.org/ and VulDB entries at https://vuldb.com/?ctiid.294009, https://vuldb.com/?id.294009, and https://vuldb.com/?submit.485756. No patches or specific mitigations are detailed in the provided information.

EU & UK References

Vulnerability details

A vulnerability was found in 1000 Projects Employee Task Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/AdminLogin.php. The manipulation of the argument email leads to sql injection. It is possible…

more

to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in the unauthenticated /admin/AdminLogin.php endpoint of the public-facing Employee Task Management System web application enables remote attackers to execute arbitrary SQL queries (boolean-based blind and time-based blind), directly mapping to T1190: Exploit Public-Facing Application.

CVEs Like This One

CVE-2025-0847Same product: 1000Projects Employee Task Management System
CVE-2025-1189Same vendor: 1000Projects
CVE-2025-7466Same vendor: 1000Projects
CVE-2025-0534Same vendor: 1000Projects
CVE-2025-0536Same vendor: 1000Projects
CVE-2025-0533Same vendor: 1000Projects
CVE-2025-1172Same vendor: 1000Projects
CVE-2025-1173Same vendor: 1000Projects
CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89

Affected Assets

1000projects
employee task management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the email input parameter in AdminLogin.php to block SQL injection payloads.

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw in the Employee Task Management System.

prevent

Enables boundary protection devices like WAFs to monitor and block network traffic containing SQL injection attempts to the vulnerable endpoint.

References