CVE-2025-1606
Published: 24 February 2025
Summary
CVE-2025-1606 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Mayurik Best Employee Management System. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Gather Victim Host Information (T1592); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-13 (Monitoring for Information Disclosure).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the /admin/backup/backups.php endpoint, directly countering the improper access control (CWE-284) that enables low-privileged users to disclose sensitive information.
Requires identification, reporting, and correction of software flaws like CVE-2025-1606, preventing exploitation through timely patching or code fixes despite vendor non-response.
Monitors for information disclosure events, enabling detection of unauthorized access and data exposure via the backups.php vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in /admin/backup/backups.php enables remote information disclosure, facilitating adversary reconnaissance to gather victim host information (T1592), as explicitly mapped in the VulDB advisory.
NVD Description
A vulnerability classified as problematic was found in SourceCodester Best Employee Management System 1.0. This vulnerability affects unknown code of the file /admin/backup/backups.php. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed…
more
to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1606 is a problematic information disclosure vulnerability in SourceCodester Best Employee Management System 1.0, affecting unknown code within the file /admin/backup/backups.php. Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control), it has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The vulnerability was published on 2025-02-24 and enables remote manipulation leading to the exposure of sensitive data.
A remote attacker with low privileges (PR:L), such as an authenticated user, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation results in low-impact confidentiality loss, allowing the attacker to disclose information from the backups.php endpoint without affecting integrity or availability.
Advisories from VulDB (CTI ID 296596) and a public GitHub disclosure detail the vulnerability but note that the vendor was contacted early without any response or patch release. No official mitigation or patch is available from SourceCodester, and the exploit has been publicly disclosed, increasing the risk of active use.
The exploit proof-of-concept is available on GitHub, indicating potential for immediate exploitation in unpatched instances of the software.
Details
- CWE(s)