CVE-2025-0881
Published: 30 January 2025
Summary
CVE-2025-0881 is a medium-severity Injection (CWE-74) vulnerability in Codezips Gym Management System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of untrusted inputs like the 'rname' parameter in saveroutine.php.
Mandates timely identification, reporting, and correction of the critical SQL injection flaw in the Gym Management System.
Vulnerability scanning detects the SQL injection vulnerability in /dashboard/admin/saveroutine.php, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/dashboard/admin/saveroutine.php) enables exploitation of public-facing application (T1190) and unauthorized access to/manipulation of database contents (T1213.006).
NVD Description
A vulnerability was found in Codezips Gym Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /dashboard/admin/saveroutine.php. The manipulation of the argument rname leads to sql injection. It is possible to launch…
more
the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-0881 is a critical SQL injection vulnerability in Codezips Gym Management System version 1.0. The issue affects an unknown function within the file /dashboard/admin/saveroutine.php, where manipulation of the 'rname' argument enables SQL injection. This flaw, associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), was published on 2025-01-30 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges, such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts including low-level disclosure of confidential information, modification of data, and denial of service, all within the unchanged scope of the application.
Advisories referenced in sources like VulDB and a GitHub issue (wizdzz/CVE #1) disclose a public exploit, indicating it may be actively used by attackers. No specific patches or mitigation steps are detailed in the available references.
The exploit's public disclosure heightens the risk for deployments of this gym management system.
Details
- CWE(s)