CVE-2025-2734
Published: 25 March 2025
Summary
CVE-2025-2734 is a high-severity Injection (CWE-74) vulnerability in Phpgurukul Old Age Home Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively prevents SQL injection by validating and sanitizing the 'pagetitle' parameter in /admin/aboutus.php before use in database queries.
Mandates timely identification, reporting, and patching of the specific SQL injection flaw in PHPGurukul Old Age Home Management System 1.0.
Facilitates proactive detection of the SQL injection vulnerability through regular scanning of the application for flaws like CVE-2025-2734.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing web application enables initial access via exploitation of public-facing application (T1190), execution through server software component (T1505 as noted in advisory), and collection from databases (T1213.006).
NVD Description
A vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2734 is a critical SQL injection vulnerability (CWE-74, CWE-89) in PHPGurukul Old Age Home Management System 1.0. The flaw resides in an unknown function within the file /admin/aboutus.php, where manipulation of the 'pagetitle' argument triggers the injection. Published on 2025-03-25, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers without authentication can exploit this vulnerability due to its network accessibility, low attack complexity, and lack of required user interaction. By injecting malicious SQL via the 'pagetitle' parameter, attackers can achieve low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption depending on the database backend.
Advisories referenced in VulDB (ctiid.300756, id.300756, submit.522265) and a GitHub issue (0xabandon/CVE/issues/1) detail the vulnerability, confirming remote exploitability. The vendor site phpgurukul.com is listed, though specific patch information is not detailed in the available references. The exploit has been publicly disclosed and may be used.
The public availability of the exploit increases the risk for unpatched instances of this management system.
Details
- CWE(s)