CVE-2025-7200
Published: 08 July 2025
Summary
CVE-2025-7200 is a low-severity Injection (CWE-74) vulnerability in Krishna9772 Pharmacy Management System. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-7200 is a SQL injection vulnerability classified as critical in the krishna9772 Pharmacy Management System up to commit a2efc8442931ec9308f3b4cf4778e5701153f4e5. The issue affects an unknown function in the file quantity_upd.php, where manipulation of the arguments med_name, med_cat, or ex_date enables the injection. The vulnerability is remotely exploitable and has been publicly disclosed with proof-of-concept exploits available.
Attackers with low privileges, such as authenticated users, can exploit this over the network with low complexity and no user interaction required, as indicated by the CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption within the application's database.
Advisories from VulDB and GitHub repositories detail the vulnerability but note the product's use of continuous delivery with rolling releases, providing no specific version information for affected or patched releases. Practitioners should review the referenced proof-of-concept at https://github.com/horytick/CVE/blob/main/SQL%20Injection%20Vulnerability%20in%20Pharmacy%20Management%20System.md and monitor for updates, applying input validation or prepared statements to quantity_upd.php as interim mitigations.
The exploit is publicly available and may be actively used, mapped to CWE-74 (Improper Neutralization of Special Elements) and CWE-89 (SQL Injection). No evidence of widespread real-world exploitation is reported in the available data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20757
Vulnerability details
A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. Affected is an unknown function of the file quantity_upd.php. The manipulation of the argument med_name/med_cat/ex_date leads to sql injection. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application (quantity_upd.php) directly enables exploitation of a public-facing or network-exposed app per T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of med_name/med_cat/ex_date inputs in quantity_upd.php to block SQL injection payloads before they reach the database.
Enforces access restrictions on the vulnerable function so that only authorized code paths can execute database operations, limiting the reach of any injected statements.
Requires timely remediation of the identified SQL injection flaw in quantity_upd.php, directly eliminating the publicly disclosed vulnerability.