CVE-2025-2679
Published: 24 March 2025
Summary
CVE-2025-2679 is a high-severity Injection (CWE-74) vulnerability in Phpgurukul Bank Locker Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of all system inputs including the pagetitle parameter in contact-us.php, directly preventing SQL injection by rejecting malicious payloads.
SI-2 mandates identification, reporting, and correction of flaws like the SQL injection vulnerability in contact-us.php, eliminating the CVE through timely patching or code remediation.
RA-5 requires vulnerability scanning and monitoring that would detect SQL injection issues such as CVE-2025-2679 in web applications like the Bank Locker Management System.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote unauthenticated SQL injection in a public-facing web application (/contact-us.php) directly enables exploitation of the vulnerable system.
NVD Description
A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /contact-us.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2679 is a critical SQL injection vulnerability in PHPGurukul Bank Locker Management System 1.0. The flaw resides in an unknown function within the file /contact-us.php, where manipulation of the pagetitle argument enables SQL injection. Published on 2025-03-24, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 and 89.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via injected SQL queries.
Advisories and additional details are documented in references such as https://github.com/ARPANET-cyber/CVE/issues/8, https://phpgurukul.com/, https://vuldb.com/?ctiid.300696, https://vuldb.com/?id.300696, and https://vuldb.com/?submit.521447. The exploit has been publicly disclosed and may be actively used.
Details
- CWE(s)