CVE-2025-2854

MediumPublic PoC

Published: 27 March 2025

Published

27 March 2025

Modified

14 May 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0025 48.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2854 is a medium-severity Injection (CWE-74) vulnerability in Fabian Payroll Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of untrusted inputs like the emp_type parameter in update_employee.php to block SQL injection manipulation.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the identified SQL injection flaw in the Payroll Management System to eliminate the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify SQL injection issues like CVE-2025-2854 in web applications such as update_employee.php.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (update_employee.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 as noted in advisory), and collection from databases via arbitrary SQL queries (T1213.006).

NVD Description

A vulnerability classified as critical was found in code-projects Payroll Management System 1.0. Affected by this vulnerability is an unknown functionality of the file update_employee.php. The manipulation of the argument emp_type leads to sql injection. The attack can be launched…

remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Deeper analysisAI

CVE-2025-2854 is a critical SQL injection vulnerability (CWE-74, CWE-89) in code-projects Payroll Management System 1.0. It affects an unknown functionality within the file update_employee.php, where manipulation of the emp_type argument triggers the issue. The vulnerability, published on 2025-03-27, carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and can be exploited remotely.

A remote attacker with low privileges can exploit this vulnerability with low complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via SQL injection. The exploit has been publicly disclosed and may be used, with other parameters possibly affected as well.

Advisories and additional details, including potential exploit code, are referenced at sites such as https://code-projects.org/, https://github.com/hak0neP/cve/blob/main/sql-fizz.md, https://vuldb.com/?ctiid.301501, https://vuldb.com/?id.301501, and https://vuldb.com/?submit.522479. No specific patches or mitigations are detailed in the CVE description.

Details

CWE(s): CWE-74 CWE-89

Affected Products

fabian

payroll management system

1.0

CVEs Like This One

CVE-2025-2985Same product: Fabian Payroll Management System

CVE-2025-2984Same product: Fabian Payroll Management System

CVE-2025-3039Same product: Fabian Payroll Management System

CVE-2025-3038Same product: Fabian Payroll Management System

CVE-2025-2672Same product: Fabian Payroll Management System

CVE-2025-0230Same vendor: Fabian

CVE-2025-2391Same vendor: Fabian

CVE-2025-1197Same vendor: Fabian

CVE-2025-0229Same vendor: Fabian

CVE-2025-2389Same vendor: Fabian

References

https://code-projects.org/
Product · cna@vuldb.com
https://github.com/hak0neP/cve/blob/main/sql-fizz.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.301501
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.301501
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.522479
Third Party Advisory, VDB Entry · cna@vuldb.com