CVE-2025-8247: Online Admission System SQLi Vulnerability

CVE-2025-8247 Overview

CVE-2025-8247 is a SQL injection vulnerability in Projectworlds Online Admission System 1.0. The flaw resides in the /admin.php script, where the markof parameter is passed into a database query without proper sanitization. Remote attackers with low-privileged access can manipulate the parameter to inject arbitrary SQL statements. The issue is tracked under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed installations.

Critical Impact

Authenticated remote attackers can inject SQL through the markof parameter in /admin.php, potentially exposing or modifying admission records stored in the backend database.

Affected Products

• Projectworlds Online Admission System 1.0
• CPE: cpe:2.3:a:projectworlds:online_admission_system:1.0:*:*:*:*:*:*:*
• Component: projectworlds:online_admission_system

Discovery Timeline

• 2025-07-28 - CVE-2025-8247 published to NVD
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-8247

Vulnerability Analysis

The vulnerability exists in an administrative endpoint of Projectworlds Online Admission System 1.0. The /admin.php handler accepts the markof parameter from the HTTP request and concatenates it directly into a SQL query. Because the input is not sanitized or bound as a prepared statement parameter, attackers can break out of the intended query context and append arbitrary SQL clauses.

Exploitation requires network reachability to the admin interface and low-privileged authentication, as reflected in the CVSS 4.0 vector. Successful injection can read, modify, or delete admission records, exfiltrate credentials stored in the database, and pivot to further attacks against connected systems. The public disclosure of the proof of concept lowers the barrier for opportunistic attackers scanning for vulnerable deployments.

Root Cause

The root cause is improper neutralization of special elements within the markof request parameter [CWE-74]. The application constructs SQL statements through string concatenation rather than using parameterized queries or stored procedures with bound inputs.

Attack Vector

An attacker sends a crafted HTTP request to /admin.php containing SQL metacharacters in the markof argument. The injected payload executes within the context of the application database user, returning data through error messages, time delays, or in-band responses depending on the query structure.

For technical details of the proof of concept, refer to the GitHub CVE Issue and the VulDB entry #317835.

Detection Methods for CVE-2025-8247

Indicators of Compromise

• HTTP requests to /admin.php containing SQL keywords such as UNION, SELECT, SLEEP, --, or OR 1=1 in the markof parameter.
• Unusually long or URL-encoded values in the markof parameter from a single source IP.
• Web server or database error messages referencing syntax errors triggered from admin.php.
• Spikes in database query latency correlated with requests to the admin interface.

Detection Strategies

• Deploy web application firewall (WAF) signatures that flag SQL injection patterns targeting the markof parameter.
• Enable database query logging and alert on queries that deviate from baseline patterns issued by the admission application.
• Correlate web access logs with authentication events to identify low-privileged accounts probing administrative endpoints.

Monitoring Recommendations

• Monitor outbound connections from the application server for signs of data exfiltration following suspicious requests.
• Track failed and successful logins to the admin portal and review session activity for accounts issuing requests to /admin.php.
• Retain web, application, and database logs for at least 90 days to support forensic review.

How to Mitigate CVE-2025-8247

Immediate Actions Required

• Restrict access to /admin.php to trusted IP ranges using network ACLs or reverse proxy rules.
• Audit the admission system database for unauthorized records, modified marks, and new administrative accounts.
• Rotate database credentials used by the application and any administrator passwords that may have been exposed.
• Place the application behind a WAF configured to block SQL injection payloads until a code-level fix is applied.

Patch Information

No vendor advisory or official patch is referenced in the available CVE data. Organizations running Projectworlds Online Admission System 1.0 should contact the vendor directly or remediate at the source code level by replacing concatenated SQL statements in admin.php with prepared statements using parameter binding. Refer to the VulDB record for updates.

Workarounds

• Modify admin.php to validate and cast the markof parameter to its expected data type before use in any SQL query.
• Replace inline SQL with parameterized queries using PDO or MySQLi prepared statements.
• Apply the principle of least privilege to the database account used by the application, removing unnecessary DROP, ALTER, and FILE privileges.
• If patching is not feasible, take the affected endpoint offline until remediation is complete.

# Example WAF rule (ModSecurity) blocking SQLi in the markof parameter
SecRule ARGS:markof "@detectSQLi" \
  "id:1008247,phase:2,deny,status:403,\
  msg:'CVE-2025-8247 SQLi attempt against markof parameter',\
  logdata:'Matched value: %{MATCHED_VAR}'"