CVE-2025-69562
Published: 27 January 2026
Summary
CVE-2025-69562 is a critical-severity SQL Injection (CWE-89) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly requires validation of the userid parameter in /insertmessage.php to prevent SQL injection by ensuring inputs are sanitized or parameterized.
SI-2 mandates timely identification, reporting, and correction of the SQL injection flaw, such as through patching the vulnerable Mobile Shop Management System.
RA-5 requires vulnerability scanning that can detect the SQL injection vulnerability in the /insertmessage.php endpoint prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of unauthenticated SQL injection in public-facing web endpoint (/insertmessage.php) matches T1190 for initial access and arbitrary query execution.
NVD Description
code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter.
Deeper analysisAI
CVE-2025-69562 affects code-projects Mobile Shop Management System 1.0, where a SQL injection vulnerability exists in the /insertmessage.php endpoint through the userid parameter. This flaw, classified under CWE-89, allows attackers to inject malicious SQL code due to insufficient input sanitization or parameterization. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity with network accessibility, low attack complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
Remote, unauthenticated attackers can exploit this vulnerability by sending crafted requests to the vulnerable endpoint, enabling arbitrary SQL query execution against the backend database. Successful exploitation could result in unauthorized data extraction, modification, or deletion, potentially compromising the entire database, including sensitive customer or business information stored in the mobile shop management system.
Advisories and references for mitigation are available at https://gist.github.com/lih28984-commits/a847a034c3bb626904dcc6ab7576257f and https://gitee.com/Z_180yc/zyy/issues/IDC5FU, which security practitioners should consult for detailed patch information, workaround guidance, or updated versions of the software.
Details
- CWE(s)