CVE-2025-2737
Published: 25 March 2025
Summary
CVE-2025-2737 is a high-severity Injection (CWE-74) vulnerability in Phpgurukul Old Age Home Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like the pagetitle argument to prevent SQL injection attacks in /admin/contactus.php.
SI-2 mandates identification, reporting, and correction of flaws such as this SQL injection vulnerability in the Old Age Home Management System.
RA-5 employs vulnerability scanning to identify SQL injection issues like CVE-2025-2737 in the application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated SQL injection vulnerability in a public-facing PHP web application, directly enabling exploitation of public-facing applications for initial access and data manipulation via injected queries.
NVD Description
A vulnerability was found in PHPGurukul Old Age Home Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/contactus.php. The manipulation of the argument pagetitle leads to sql injection. It is possible…
more
to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2737 is a critical SQL injection vulnerability in PHPGurukul Old Age Home Management System 1.0. The issue resides in an unknown part of the file /admin/contactus.php, where manipulation of the pagetitle argument enables the injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 7.3.
The vulnerability is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required, per the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation grants limited access to confidential data, moderate integrity disruption, and low availability impact through SQL queries.
Advisories and further details are available in referenced sources, including a GitHub issue at https://github.com/X-X-007/cve/issues/1, the vendor site at https://phpgurukul.com/, and VULDB entries at https://vuldb.com/?ctiid.300759, https://vuldb.com/?id.300759, and https://vuldb.com/?submit.522898.
The exploit has been publicly disclosed and may be used in attacks.
Details
- CWE(s)