Cyber Resilience

CVE-2025-1188

MediumPublic PoC

Published: 12 February 2025

Published
12 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 37.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1188 is a medium-severity Injection (CWE-74) vulnerability in Codezips Gym Management System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1188 is a critical SQL injection vulnerability in Codezips Gym Management System 1.0. The issue resides in an unknown functionality of the file /dashboard/admin/updateroutine.php, where manipulation of the 'tid' argument triggers the injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).

The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users with basic access. Exploitation requires network connectivity and low complexity, with no user interaction necessary. Successful attacks can result in limited impacts to confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption within the application's database.

Advisories referenced in VulDB entries (ctiid.295094, id.295094, submit.496409) and a GitHub repository document the issue, with the exploit publicly disclosed and available for use. No specific patches or mitigation steps are detailed in the provided information.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/admin/updateroutine.php. The manipulation of the argument tid leads to sql injection. The attack…

more

may be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Why these techniques?

SQL injection vulnerability in public-facing web application (/dashboard/admin/updateroutine.php) enables exploitation of public-facing applications (T1190), collection from databases via arbitrary SQL queries (T1213.006), and abuse of server software components (T1505 as assigned by VulDB).

CVEs Like This One

CVE-2025-0535Same product: Codezips Gym Management System
CVE-2025-0541Same product: Codezips Gym Management System
CVE-2025-1856Same product: Codezips Gym Management System
CVE-2025-0532Same product: Codezips Gym Management System
CVE-2025-1959Same product: Codezips Gym Management System
CVE-2025-0231Same product: Codezips Gym Management System
CVE-2025-0881Same product: Codezips Gym Management System
CVE-2025-1206Same product: Codezips Gym Management System
CVE-2025-1854Same product: Codezips Gym Management System
CVE-2025-0562Same product: Codezips Gym Management System

Affected Assets

codezips
gym management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by requiring validation and sanitization of the 'tid' input parameter to neutralize special elements used in SQL commands.

prevent

Requires timely identification, reporting, and remediation of the SQL injection flaw in /dashboard/admin/updateroutine.php to eliminate the vulnerability.

detect

Enables automated vulnerability scanning to identify SQL injection vulnerabilities like CVE-2025-1188 in the Gym Management System.

References