CVE-2025-2655
Published: 23 March 2025
Summary
CVE-2025-2655 is a high-severity Injection (CWE-74) vulnerability in Oretnom23 Ac Repair And Services System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of untrusted inputs like the ID argument in /classes/Users.php before incorporation into SQL commands.
Mandates timely identification, reporting, and correction of the specific SQL injection flaw in save_users/delete_users functions.
Supports detection of SQL injection vulnerabilities like CVE-2025-2655 through scanning and drives remediation to address them.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing web application (Users.php) enables exploitation for initial access (T1190) and facilitates arbitrary database queries for data collection from databases (T1213.006).
NVD Description
A vulnerability was detected in SourceCodester AC Repair and Services System 1.0. The affected element is the function save_users/delete_users of the file /classes/Users.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack…
more
remotely. The exploit is now public and may be used. Other parameters might be affected as well.
Deeper analysisAI
CVE-2025-2655 is a SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0, affecting the save_users and delete_users functions in the file /classes/Users.php. The issue arises from improper handling of the ID argument, allowing manipulation that leads to SQL injection. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads. Other parameters in the affected functions may also be vulnerable.
Advisories and details are documented in references including a GitHub proof-of-concept at https://github.com/Colorado-all/cve/blob/main/AC%20Repair%20and%20Services%20System%20using/SQL-8.md and VulDB entries at https://vuldb.com/?ctiid.300670, https://vuldb.com/?id.300670, https://vuldb.com/?submit.520017, and https://vuldb.com/?submit.696635. No specific patches or mitigations are detailed in the available information.
The exploit is public and may be used, increasing the risk for exposed instances of the affected system. The vulnerability was published on 2025-03-23.
Details
- CWE(s)