CVE-2025-2847

MediumPublic PoC

Published: 27 March 2025

Published

27 March 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0018 39.6th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2847 is a medium-severity Injection (CWE-74) vulnerability in Codezips Gym Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of inputs like the 'mm' argument in /dashboard/admin/over_month.php to directly prevent SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of critical flaws such as this SQL injection vulnerability in the Gym Management System.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify SQL injection flaws like CVE-2025-2847, facilitating timely remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1505.006 vSphere Installation Bundles Persistence

Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors.

attack.mitre.org →

Why these techniques?

SQL injection in web application (/dashboard/admin/over_month.php) enables exploitation of public-facing applications (T1190) and abuse of server software components (T1505, specifically vSphere or general web app components like T1505.006), allowing unauthorized database access, manipulation, and potential compromise as noted in advisories.

NVD Description

A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0. This issue affects some unknown processing of the file /dashboard/admin/over_month.php. The manipulation of the argument mm leads to sql injection. The attack may be…

initiated remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-2847 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Codezips Gym Management System 1.0. The flaw affects the processing of the file /dashboard/admin/over_month.php, where manipulation of the "mm" argument enables SQL injection.

Remote attackers with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation yields limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in the CVSS v3.1 base score of 6.3 (S:U).

VulDB advisories, including entries at https://vuldb.com/?ctiid.301493 and https://vuldb.com/?id.301493, detail the issue, noting that an exploit has been publicly disclosed and may be used against vulnerable instances. No patches are referenced in available information.

The public availability of the exploit elevates the risk for deployments of the affected Gym Management System.

Details

CWE(s): CWE-74 CWE-89

Affected Products

codezips

gym management system

1.0

CVEs Like This One

CVE-2025-1856Same product: Codezips Gym Management System

CVE-2025-0532Same product: Codezips Gym Management System

CVE-2025-0541Same product: Codezips Gym Management System

CVE-2025-0535Same product: Codezips Gym Management System

CVE-2025-1188Same product: Codezips Gym Management System

CVE-2025-1959Same product: Codezips Gym Management System

CVE-2025-1380Same product: Codezips Gym Management System

CVE-2025-0880Same product: Codezips Gym Management System

CVE-2025-0231Same product: Codezips Gym Management System

CVE-2025-1854Same product: Codezips Gym Management System

References

https://vuldb.com/?ctiid.301493
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.301493
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.522330
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.yuque.com/baimatangseng-iyusa/qwwm81/zbefafzyl0of6g56?singleDoc
Exploit, Third Party Advisory · cna@vuldb.com