CVE-2025-28087
Published: 28 March 2025
Summary
CVE-2025-28087 is a critical-severity SQL Injection (CWE-89) vulnerability in Nayem-Howlader Online Exam System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-28087 is a SQL injection vulnerability (CWE-89) in Sourcecodester Online Exam System 1.0, exploitable via the dash.php component. Published on 2025-03-28T22:15:17.717, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.
Remote attackers require only network access and can exploit the vulnerability with low attack complexity, no privileges, and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing arbitrary SQL query execution against the underlying database.
Advisories with further details, including potential mitigation guidance, are available at https://www.yuque.com/morysummer/vx41bz/vxhdpdeavzvtvdqq.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8660
Vulnerability details
Sourcecodester Online Exam System 1.0 is vulnerable to SQL Injection via dash.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (dash.php) directly matches T1190 for remote exploitation of public-facing applications without auth.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation of untrusted inputs to the dash.php component before processing in SQL queries.
Requires timely remediation of flaws like the SQL injection vulnerability in Sourcecodester Online Exam System 1.0 to prevent exploitation.
Boundary protection with web application firewalls can inspect and block SQL injection payloads targeting dash.php.