CVE-2025-2683
Published: 24 March 2025
Summary
CVE-2025-2683 is a high-severity Injection (CWE-74) vulnerability in Phpgurukul Bank Locker Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the mobilenumber input parameter in /profile.php to prevent SQL injection by ensuring only expected formats are accepted.
Restricts the mobilenumber argument to safe types, lengths, and characters, blocking SQL injection payloads before they reach the database.
Remediates the specific SQL injection flaw in /profile.php through timely patching or code correction for the vulnerable PHPGurukul software.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web application (/profile.php) directly enables remote exploitation of the app via T1190.
NVD Description
A vulnerability classified as critical was found in PHPGurukul Bank Locker Management System 1.0. This vulnerability affects unknown code of the file /profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be initiated remotely. The…
more
exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2683 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Bank Locker Management System 1.0, published on 2025-03-24. The issue resides in unknown code of the file /profile.php, where manipulation of the mobilenumber argument enables SQL injection. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers without authentication or user interaction can exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection techniques.
Advisories referenced in VulDB entries (https://vuldb.com/?ctiid.300700, https://vuldb.com/?id.300700, https://vuldb.com/?submit.521452) and a GitHub issue (https://github.com/ARPANET-cyber/CVE/issues/12) detail the flaw, while the vendor site (https://phpgurukul.com/) provides context on the software. The exploit has been publicly disclosed and may be used.
The vulnerability's public exploit availability heightens risk for exposed instances of this management system.
Details
- CWE(s)