CVE-2025-28072
Published: 16 April 2025
Summary
CVE-2025-28072 is a high-severity Path Traversal (CWE-22) vulnerability in Phpgurukul Pre-School Enrollment System. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
PHPGurukul Pre-School Enrollment System contains a directory traversal vulnerability, tracked as CVE-2025-28072 and assigned CWE-22, that affects the manage-teachers.php component. The flaw received a CVSS 3.1 base score of 7.5, reflecting network attackability without authentication or user interaction and resulting in high confidentiality impact.
An unauthenticated remote attacker can supply crafted path sequences to the affected script and retrieve arbitrary files from the underlying server filesystem, exposing sensitive configuration or data while leaving integrity and availability untouched. The single provided reference is a GitHub repository containing a technical description of the issue.
EPSS scores remain low, moving only from a current value of 0.0139 to a recorded peak of 0.0190, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11493
Vulnerability details
PHPGurukul Pre-School Enrollment System is vulnerable to Directory Traversal in manage-teachers.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing PHP web app (manage-teachers.php) enables exploitation of public-facing application (T1190), facilitates file/directory discovery (T1083), data collection from local system (T1005), and credential access from files such as /etc/passwd or configs (T1552.001, T1003.008).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.