CVE-2025-2687

MediumPublic PoC

Published: 24 March 2025

Published

24 March 2025

Modified

27 March 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0007 21.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2687 is a medium-severity Improper Access Control (CWE-284) vulnerability in Phpgurukul Elearning System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Ingress Tool Transfer (T1105) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates unrestricted file upload by requiring validation of inputs to the image handler, preventing acceptance of dangerous file types.

AC-3 Access Enforcement good match

prevent

Enforces proper access control on the /user/index.php endpoint, addressing CWE-284 improper access control that enables remote manipulation.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in the image handler component through identification, reporting, and correction of the unrestricted upload vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unrestricted file upload vulnerability in public-facing PHP web application enables remote exploitation for initial access (T1190), ingress tool/malware transfer (T1105), and web shell deployment/execution (T1505.003).

NVD Description

A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0. Affected is an unknown function of the file /user/index.php of the component Image Handler. The manipulation leads to unrestricted upload. It is possible to launch the attack…

remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-2687 is a critical vulnerability in PHPGurukul eLearning System 1.0, affecting an unknown function in the file /user/index.php of the Image Handler component. The issue enables unrestricted file upload through manipulation of this endpoint.

The vulnerability can be exploited remotely by attackers with low privileges (PR:L), requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) with unchanged scope (S:U), as reflected in its CVSS v3.1 base score of 6.3 (AV:N). The exploit has been publicly disclosed and may be used, with associated weaknesses in CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Advisories and details are available via references including a GitHub issue at https://github.com/ARPANET-cyber/CVE/issues/14, the vendor site at https://phpgurukul.com/, and VulDB entries at https://vuldb.com/?ctiid.300708, https://vuldb.com/?id.300708, and https://vuldb.com/?submit.521454. The vulnerability was published on 2025-03-24.

Details

CWE(s): CWE-284 CWE-434

Affected Products

phpgurukul

elearning system

1.0

CVEs Like This One

CVE-2026-1424Same vendor: Phpgurukul

CVE-2026-0547Same vendor: Phpgurukul

CVE-2025-70064Same vendor: Phpgurukul

CVE-2025-1588Same vendor: Phpgurukul

CVE-2025-69992Same vendor: Phpgurukul

CVE-2025-1166Shared CWE-284, CWE-434

CVE-2026-4221Shared CWE-284, CWE-434

CVE-2025-1555Shared CWE-284, CWE-434

CVE-2025-1818Shared CWE-284, CWE-434

CVE-2026-2977Shared CWE-284, CWE-434

References

https://github.com/ARPANET-cyber/CVE/issues/14
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://phpgurukul.com/
Product · cna@vuldb.com
https://vuldb.com/?ctiid.300708
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.300708
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.521454
Third Party Advisory, VDB Entry · cna@vuldb.com