Cyber Resilience

CVE-2025-0294

MediumPublic PoC

Published: 07 January 2025

Published
07 January 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 41.2th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0294 is a medium-severity Injection (CWE-74) vulnerability in Acetech Home Clean Services Management System. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-0294 is a SQL injection vulnerability classified as critical in SourceCodester Home Clean Services Management System 1.0. The flaw affects an unknown functionality in the file /public_html/admin/process.php, where manipulation of the arguments type, length, and business enables the injection. Mapped to CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-07.

The vulnerability allows remote exploitation over the network with low complexity but requires high privileges. Attackers can achieve limited impacts on confidentiality, integrity, and availability through SQL injection, potentially affecting other parameters as well.

Advisories reference a public exploit disclosure on GitHub detailing the SQL injection in process.php, along with VulDB entries (ctiid.290443, id.290443, submit.475076). The vendor site at sourcecodester.com is also listed, though specific patch or mitigation details are not outlined in the CVE description.

The exploit has been disclosed to the public and may be used.

EU & UK References

Vulnerability details

A vulnerability has been found in SourceCodester Home Clean Services Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /public_html/admin/process.php. The manipulation of the argument type/length/business leads to sql injection. The…

more

attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505 Server Software Component Persistence
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in /admin/process.php enables exploitation of public-facing web applications (T1190), abuse of server software components for code execution (T1505 as cited in advisory), and collection of data from databases (T1213.006).

CVEs Like This One

CVE-2025-0410Shared CWE-74, CWE-89
CVE-2025-2034Shared CWE-74, CWE-89
CVE-2025-0486Shared CWE-74, CWE-89
CVE-2025-1185Shared CWE-74, CWE-89
CVE-2025-2389Shared CWE-74, CWE-89
CVE-2025-0558Shared CWE-74, CWE-89
CVE-2025-2391Shared CWE-74, CWE-89
CVE-2025-2066Shared CWE-74, CWE-89
CVE-2025-2663Shared CWE-74, CWE-89
CVE-2025-0233Shared CWE-74, CWE-89

Affected Assets

acetech
home clean services management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection in /public_html/admin/process.php by validating and sanitizing the type/length/business arguments before database queries.

prevent

Requires timely remediation of the specific critical SQL injection flaw (CVE-2025-0294) via patching or code fixes in the Home Clean Services Management System.

detect

Identifies the SQL injection vulnerability through regular automated vulnerability scanning of the affected application and parameters.

References