CVE-2025-1850
Published: 03 March 2025
Summary
CVE-2025-1850 is a high-severity Injection (CWE-74) vulnerability in Codezips College Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of untrusted inputs like the book_name parameter in /university.php.
Addresses the vulnerability through timely identification, testing, and deployment of patches for the SQL injection flaw.
Enables scanning to detect the SQL injection vulnerability in the College Management System prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/university.php) enables initial access via exploitation of public-facing applications (T1190), execution through server software component abuse (T1505), and collection from databases (T1213.006).
NVD Description
A vulnerability, which was classified as critical, has been found in Codezips College Management System 1.0. Affected by this issue is some unknown functionality of the file /university.php. The manipulation of the argument book_name leads to sql injection. The attack…
more
may be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-1850 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips College Management System 1.0. The issue resides in an unknown functionality of the /university.php file, where manipulation of the book_name argument enables SQL code injection. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized database access, data manipulation, or disruption depending on the backend SQL implementation.
Advisories and references, including VulDB entries and a GitHub repository from WHOAMI-xiaoyu, confirm the exploit has been publicly disclosed and is available for use. No specific patches or mitigations are detailed in the provided information.
The public availability of the exploit PoC heightens the risk for unpatched instances of this college management system.
Details
- CWE(s)