CVE-2025-2391

HighPublic PoC

Published: 17 March 2025

Published

17 March 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0013 32.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2391 is a high-severity Injection (CWE-74) vulnerability in Fabian Blood Bank Management System. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes untrusted inputs to the /admin/admin_login.php endpoint, preventing SQL injection attacks.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and timely remediation of the SQL injection flaw in Blood Bank Management System 1.0.

SI-9 Information Input Restrictions good match

prevent

Restricts the types and quantities of inputs accepted by the admin login page to block SQL injection payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing admin login page (no auth required) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and collection of data from databases (T1213.006) via arbitrary SQL queries.

NVD Description

A vulnerability classified as critical was found in code-projects Blood Bank Management System 1.0. This vulnerability affects unknown code of the file /admin/admin_login.php of the component Admin Login Page. The manipulation leads to sql injection. The attack can be initiated…

remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-2391 is a critical SQL injection vulnerability (CWE-74, CWE-89) discovered in code-projects Blood Bank Management System 1.0. It affects unknown code within the file /admin/admin_login.php of the Admin Login Page component. The issue allows manipulation leading to SQL injection and carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-03-17T20:15:14.443.

Remote attackers can exploit this vulnerability without requiring authentication, user interaction, or high complexity. Exploitation enables SQL injection attacks, potentially compromising confidentiality, integrity, and availability to a low degree, depending on the backend database configuration.

Reference advisories, including VulDB entries (vuldb.com/?ctiid.299890, vuldb.com/?id.299890, vuldb.com/?submit.516910) and a GitHub disclosure (github.com/intercpt/XSS1/blob/main/SQL10.md), confirm the exploit has been publicly released and may be used in attacks. The project site (code-projects.org) provides context on the affected software, but no specific patches or mitigations are detailed in the available information.

The exploit disclosure heightens the risk for deployments of Blood Bank Management System 1.0, urging practitioners to review and isolate exposed admin login endpoints.

Details

CWE(s): CWE-74 CWE-89

Affected Products

fabian

blood bank management system

1.0

CVEs Like This One

CVE-2025-2389Same product: Fabian Blood Bank Management System

CVE-2025-0230Same vendor: Fabian

CVE-2025-2985Same vendor: Fabian

CVE-2025-2854Same vendor: Fabian

CVE-2025-1197Same vendor: Fabian

CVE-2025-0229Same vendor: Fabian

CVE-2025-2419Same vendor: Fabian

CVE-2025-2384Same vendor: Fabian

CVE-2025-7166Same vendor: Fabian

CVE-2025-2984Same vendor: Fabian

References

https://code-projects.org/
Product · cna@vuldb.com
https://github.com/intercpt/XSS1/blob/main/SQL10.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.299890
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.299890
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.516910
Third Party Advisory, VDB Entry · cna@vuldb.com