CVE-2025-70893
Published: 15 January 2026
Summary
CVE-2025-70893 is a high-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Cyber Cafe Management System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied inputs like the adminname parameter to prevent time-based blind SQL injection in adminprofile.php.
Mandates identification, prioritization, and timely remediation of flaws such as the input sanitization failure enabling SQL injection.
Provides vulnerability scanning to identify SQL injection flaws in web endpoints like adminprofile.php for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SQL injection in a web application endpoint enables remote exploitation of a public-facing app (T1190) and direct unauthorized access to backend database contents (T1213).
NVD Description
A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions.
Deeper analysisAI
CVE-2025-70893, published on 2026-01-15, is a time-based blind SQL injection vulnerability (CWE-89) affecting PHPGurukul Cyber Cafe Management System version 1.0. The flaw occurs in the adminprofile.php endpoint, where the application fails to properly sanitize user-supplied input via the adminname parameter. This allows attackers to inject arbitrary SQL expressions. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no requirement for user interaction (UI:N). By crafting malicious payloads in the adminname parameter, they can trigger time-based blind SQL injection to infer data or execute arbitrary SQL commands, achieving high confidentiality (C:H), integrity (I:H), and availability (A:H) impacts within the unchanged scope (S:U). This could enable data exfiltration, unauthorized modifications, or service disruption on the backend database.
References include a GitHub repository documenting the vulnerability and proof-of-concept at https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70893, as well as the official project page at https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/. No specific patches or mitigation guidance are detailed in the provided sources.
Details
- CWE(s)