CVE-2025-7491
Published: 12 July 2025
Summary
CVE-2025-7491 is a low-severity Injection (CWE-74) vulnerability in Phpgurukul Vehicle Parking Management System. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-7491 is a critical SQL injection vulnerability affecting PHPGurukul Vehicle Parking Management System version 1.13. The flaw resides in an unknown functionality of the file /admin/manage-outgoingvehicle.php, where manipulation of the 'del' argument triggers the injection. It is associated with CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability enables remote exploitation over the network with low complexity and no user interaction required, but necessitates low privileges (PR:L) such as an authenticated low-level admin or user account. Attackers can achieve limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Advisories and references, including VulDB entries (ctiid.316141, id.316141, submit.610576), a GitHub issue at github.com/f1rstb100d/myCVE/issues/119, and the vendor site phpgurukul.com, provide further details. The exploit has been publicly disclosed and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21234
Vulnerability details
A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/manage-outgoingvehicle.php. The manipulation of the argument del leads to sql injection. The…
more
attack can be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/admin/manage-outgoingvehicle.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 per advisory), and unauthorized data collection from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the 'del' parameter in manage-outgoingvehicle.php, directly blocking the SQL injection vector described in CVE-2025-7491.
Restricts the low-privilege accounts (PR:L) needed to reach /admin/manage-outgoingvehicle.php, limiting the population that can trigger the injection.
Enables monitoring of database queries and application inputs for anomalous SQL syntax originating from the vulnerable endpoint.