Cyber Resilience

CVE-2025-7200

LowPublic PoC

Published: 08 July 2025

Published
08 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 45.3th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7200 is a low-severity Injection (CWE-74) vulnerability in Krishna9772 Pharmacy Management System. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-7200 is a SQL injection vulnerability classified as critical in the krishna9772 Pharmacy Management System up to commit a2efc8442931ec9308f3b4cf4778e5701153f4e5. The issue affects an unknown function in the file quantity_upd.php, where manipulation of the arguments med_name, med_cat, or ex_date enables the injection. The vulnerability is remotely exploitable and has been publicly disclosed with proof-of-concept exploits available.

Attackers with low privileges, such as authenticated users, can exploit this over the network with low complexity and no user interaction required, as indicated by the CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the application's database.

Advisories from VulDB and GitHub repositories detail the vulnerability but note the product's use of continuous delivery with rolling releases, providing no specific version information for affected or patched releases. Practitioners should review the referenced proof-of-concept at https://github.com/horytick/CVE/blob/main/SQL%20Injection%20Vulnerability%20in%20Pharmacy%20Management%20System.md and monitor for updates, applying input validation or prepared statements to quantity_upd.php as interim mitigations.

The exploit is publicly available and may be actively used, mapped to CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection). No evidence of widespread real-world exploitation is reported in the available data.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. Affected is an unknown function of the file quantity_upd.php. The manipulation of the argument med_name/med_cat/ex_date leads to sql injection. It is possible to…

more

launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application (quantity_upd.php) directly enables exploitation of a public-facing or network-exposed app per T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

krishna9772
pharmacy management system
≤ 2024-03-06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of med_name/med_cat/ex_date inputs in quantity_upd.php to block SQL injection payloads before they reach the database.

prevent

Enforces access restrictions on the vulnerable function so that only authorized code paths can execute database operations, limiting the reach of any injected statements.

prevent

Requires timely remediation of the identified SQL injection flaw in quantity_upd.php, directly eliminating the publicly disclosed vulnerability.

References