CVE-2025-29641
Published: 21 March 2025
Summary
CVE-2025-29641 is a high-severity SQL Injection (CWE-89) vulnerability in Anujk305 Vehicle Record Management System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-29641, published on 2025-03-21, is a SQL injection vulnerability (CWE-89) in Phpgurukul Vehicle Record Management System version 1.0. The flaw resides in the /index.php endpoint via the 'searchinputdata' parameter, allowing malicious SQL payloads to be injected into database queries.
The vulnerability has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity. An unauthenticated remote attacker with network access can exploit it with low attack complexity and no user interaction. Exploitation enables limited impacts: partial disclosure of confidential information, limited data modification, and limited denial-of-service effects.
Mitigation details are available in the referenced advisory at https://github.com/Pei4AN/CVE/issues/5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7250
Vulnerability details
Phpgurukul Vehicle Record Management System v1.0 is vulnerable to SQL Injection in /index.php via the 'searchinputdata' parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (/index.php) directly enables remote unauthenticated exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of user inputs like the 'searchinputdata' parameter to block malicious SQL payloads and prevent injection.
Requires identification, reporting, and correction of the SQL injection flaw in the Vehicle Record Management System.
Boundary protection with web application firewalls monitors and blocks SQL injection attempts at network interfaces.