CVE-2025-2664
Published: 23 March 2025
Summary
CVE-2025-2664 is a medium-severity Injection (CWE-74) vulnerability in Codezips Hospital Management System. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing the ID parameter in /suadpeted.php against expected formats.
Ensures timely patching or code remediation of the known SQL injection vulnerability in CodeZips Hospital Management System 1.0.
Restricts the ID input to safe types and quantities, such as numeric-only values, to block malicious SQL injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing web application (/suadpeted.php) enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006).
NVD Description
A vulnerability was found in CodeZips Hospital Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /suadpeted.php. The manipulation of the argument ID leads to sql injection. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2664 is a critical SQL injection vulnerability in CodeZips Hospital Management System version 1.0, published on 2025-03-23. The issue affects an unknown functionality within the file /suadpeted.php, where manipulation of the ID argument enables SQL injection. It is associated with CWE-74 (improper neutralization of special elements) and CWE-89 (SQL injection), with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by attackers who possess high privileges (PR:H), requiring network access and low complexity with no user interaction needed. Successful exploitation allows limited impacts: low confidentiality (C:L) via potential data exposure, low integrity (I:L) through data modification, and low availability (A:L) disruption.
Advisories from VulDB and a related GitHub repository detail the vulnerability, confirming the SQL injection via the ID parameter in /suadpeted.php. The exploit has been publicly disclosed in the GitHub document "SQL_Injection_in_Hospital_Management_System.md" and may be actively used by attackers.
Notable context includes the public availability of the exploit, increasing the risk for unpatched instances of this hospital management system. No evidence of widespread real-world exploitation is specified in the available data.
Details
- CWE(s)