CVE-2025-0294
Published: 07 January 2025
Summary
CVE-2025-0294 is a medium-severity Injection (CWE-74) vulnerability in Acetech Home Clean Services Management System. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0294 is a SQL injection vulnerability classified as critical in SourceCodester Home Clean Services Management System 1.0. The flaw affects an unknown functionality in the file /public_html/admin/process.php, where manipulation of the arguments type, length, and business enables the injection. Mapped to CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-07.
The vulnerability allows remote exploitation over the network with low complexity but requires high privileges. Attackers can achieve limited impacts on confidentiality, integrity, and availability through SQL injection, potentially affecting other parameters as well.
Advisories reference a public exploit disclosure on GitHub detailing the SQL injection in process.php, along with VulDB entries (ctiid.290443, id.290443, submit.475076). The vendor site at sourcecodester.com is also listed, though specific patch or mitigation details are not outlined in the CVE description.
The exploit has been disclosed to the public and may be used.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1584
Vulnerability details
A vulnerability has been found in SourceCodester Home Clean Services Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /public_html/admin/process.php. The manipulation of the argument type/length/business leads to sql injection. The…
more
attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in /admin/process.php enables exploitation of public-facing web applications (T1190), abuse of server software components for code execution (T1505 as cited in advisory), and collection of data from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection in /public_html/admin/process.php by validating and sanitizing the type/length/business arguments before database queries.
Requires timely remediation of the specific critical SQL injection flaw (CVE-2025-0294) via patching or code fixes in the Home Clean Services Management System.
Identifies the SQL injection vulnerability through regular automated vulnerability scanning of the affected application and parameters.