How to fix CVE-2025-6157?

Within 24 hours: Inventory all systems running PHPGurukul 1.0 and isolate them from production networks if possible; enable WAF rules to block SQL injection patterns in the testtype parameter. Within 7 days: Implement network segmentation to restrict access to /registered-user-testing.php to authorized users only; conduct database audit logs for suspicious activity. Within 30 days: Migrate to a patched version or alternative solution; if upgrade unavailable, evaluate decommissioning the application and transitioning to a vendor-supported replacement.

Is PHP affected by CVE-2025-6157?

A critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System 1.0 allows unauthenticated remote attackers to compromise database integrity and extract sensitive health data.

CVE-2025-6157

EUVD-2025-18463 HIGH

2025-06-17 [email protected]

PHP SQLi Nipah Virus Testing Management System

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18463

PoC Detected

Jun 24, 2025 - 15:52 vuln.today

Public exploit code

CVE Published

Jun 17, 2025 - 03:15 nvd

HIGH 7.3

DescriptionNVD

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registered-user-testing.php. The manipulation of the argument testtype leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System version 1.0, located in the /registered-user-testing.php file where the 'testtype' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.

Technical ContextAI

This vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - 'Injection'), manifesting as SQL injection. The affected application is PHPGurukul Nipah Virus Testing Management System 1.0, a PHP-based web application (CPE: cpe:2.3:a:phpgurukul:nipah_virus_testing_management_system:1.0:*:*:*:*:*:*:*). The vulnerability stems from inadequate input validation/sanitization of user-supplied data (testtype parameter) before incorporation into SQL queries. This is a classic injection vulnerability where attackers can manipulate SQL query logic by injecting malicious SQL syntax through the testtype parameter, bypassing intended query constraints.

CVE-2025-6157 vulnerability details – vuln.today

Back