Cyber Resilience

CVE-2025-1606

MediumPublic PoC

Published: 24 February 2025

Published
24 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1606 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Mayurik Best Employee Management System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Gather Victim Host Information (T1592); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

CVE-2025-1606 is a problematic information disclosure vulnerability in SourceCodester Best Employee Management System 1.0, affecting unknown code within the file /admin/backup/backups.php. Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control), it has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The vulnerability was published on 2025-02-24 and enables remote manipulation leading to the exposure of sensitive data.

A remote attacker with low privileges (PR:L), such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation results in low-impact confidentiality loss, allowing the attacker to disclose information from the backups.php endpoint without affecting integrity or availability.

Advisories from VulDB (CTI ID 296596) and a public GitHub disclosure detail the vulnerability but note that the vendor was contacted early without any response or patch release. No official mitigation or patch is available from SourceCodester, and the exploit has been publicly disclosed, increasing the risk of active use.

The exploit proof-of-concept is available on GitHub, indicating potential for immediate exploitation in unpatched instances of the software.

EU & UK References

Vulnerability details

A vulnerability classified as problematic was found in SourceCodester Best Employee Management System 1.0. This vulnerability affects unknown code of the file /admin/backup/backups.php. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed…

more

to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1592 Gather Victim Host Information Reconnaissance
Adversaries may gather information about the victim's hosts that can be used during targeting.
Why these techniques?

The vulnerability in /admin/backup/backups.php enables remote information disclosure, facilitating adversary reconnaissance to gather victim host information (T1592), as explicitly mapped in the VulDB advisory.

CVEs Like This One

CVE-2025-0802Same product: Mayurik Best Employee Management System
CVE-2025-1593Same product: Mayurik Best Employee Management System
CVE-2025-2046Same product: Mayurik Best Employee Management System
CVE-2025-1598Same vendor: Mayurik
CVE-2025-1871Same vendor: Mayurik
CVE-2025-1200Same vendor: Mayurik
CVE-2026-1702Same vendor: Mayurik
CVE-2025-2602Same vendor: Mayurik
CVE-2025-1599Same vendor: Mayurik
CVE-2025-63298Same vendor: Mayurik

Affected Assets

mayurik
best employee management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to the /admin/backup/backups.php endpoint, directly countering the improper access control (CWE-284) that enables low-privileged users to disclose sensitive information.

prevent

Requires identification, reporting, and correction of software flaws like CVE-2025-1606, preventing exploitation through timely patching or code fixes despite vendor non-response.

detect

Monitors for information disclosure events, enabling detection of unauthorized access and data exposure via the backups.php vulnerability.

References