CVE-2025-7163

MediumPublic PoC

Published: 08 July 2025

Published

08 July 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0027 50.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7163 is a medium-severity Injection (CWE-74) vulnerability in Phpgurukul Zoo Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

SA-11 Developer Testing and Evaluation

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-10 Information Input Validation

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

SI-4 System Monitoring

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in public-facing web application (/admin/add-animals.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 as assigned in advisory), and collection of data from databases (T1213.006).

NVD Description

A vulnerability, which was classified as critical, was found in PHPGurukul Zoo Management System 2.1. Affected is an unknown function of the file /admin/add-animals.php. The manipulation of the argument cnum leads to sql injection. It is possible to launch the…

attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-7163 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in PHPGurukul Zoo Management System version 2.1. The flaw resides in an unknown function within the file /admin/add-animals.php, where manipulation of the 'cnum' argument enables SQL injection. It has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely over the network with low attack complexity, requiring only low privileges, and no user interaction. An attacker with such access can achieve limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption via injected SQL queries.

Advisories and further details are available in the referenced sources, including a GitHub issue at https://github.com/f1rstb100d/myCVE/issues/106, the vendor site at https://phpgurukul.com/, and VULDB entries at https://vuldb.com/?ctiid.315102, https://vuldb.com/?id.315102, and https://vuldb.com/?submit.606370.

The exploit has been disclosed publicly and may be used, as noted in the CVE description published on 2025-07-08.

Details

CWE(s): CWE-74 CWE-89

Affected Products

phpgurukul

zoo management system

2.1

CVEs Like This One

CVE-2025-2656Same product: Phpgurukul Zoo Management System

CVE-2025-7162Same product: Phpgurukul Zoo Management System

CVE-2025-7160Same product: Phpgurukul Zoo Management System

CVE-2025-7159Same product: Phpgurukul Zoo Management System

CVE-2025-7158Same product: Phpgurukul Zoo Management System

CVE-2025-7161Same product: Phpgurukul Zoo Management System

CVE-2025-2646Same vendor: Phpgurukul

CVE-2025-7491Same vendor: Phpgurukul

CVE-2025-2471Same vendor: Phpgurukul

CVE-2025-2642Same vendor: Phpgurukul

References

https://github.com/f1rstb100d/myCVE/issues/106
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://phpgurukul.com/
Product · cna@vuldb.com
https://vuldb.com/?ctiid.315102
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.315102
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.606370
Third Party Advisory, VDB Entry · cna@vuldb.com