Cyber Resilience

CVE-2025-69562

CriticalPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69562 is a critical-severity SQL Injection (CWE-89) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69562 affects code-projects Mobile Shop Management System 1.0, where a SQL injection vulnerability exists in the /insertmessage.php endpoint through the userid parameter. This flaw, classified under CWE-89, allows attackers to inject malicious SQL code due to insufficient input sanitization or parameterization. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity with network accessibility, low attack complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this vulnerability by sending crafted requests to the vulnerable endpoint, enabling arbitrary SQL query execution against the backend database. Successful exploitation could result in unauthorized data extraction, modification, or deletion, potentially compromising the entire database, including sensitive customer or business information stored in the mobile shop management system.

Advisories and references for mitigation are available at https://gist.github.com/lih28984-commits/a847a034c3bb626904dcc6ab7576257f and https://gitee.com/Z_180yc/zyy/issues/IDC5FU, which security practitioners should consult for detailed patch information, workaround guidance, or updated versions of the software.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of unauthenticated SQL injection in public-facing web endpoint (/insertmessage.php) matches T1190 for initial access and arbitrary query execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69563Same product: Fabian Mobile Shop Management System
CVE-2025-69564Same product: Fabian Mobile Shop Management System
CVE-2025-69565Same product: Fabian Mobile Shop Management System
CVE-2026-0851Same vendor: Fabian
CVE-2026-2060Same vendor: Fabian
CVE-2025-7186Same vendor: Fabian
CVE-2026-2197Same vendor: Fabian
CVE-2025-7189Same vendor: Fabian
CVE-2026-0592Same vendor: Fabian
CVE-2026-0607Same vendor: Fabian

Affected Assets

fabian
mobile shop management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly requires validation of the userid parameter in /insertmessage.php to prevent SQL injection by ensuring inputs are sanitized or parameterized.

prevent

SI-2 mandates timely identification, reporting, and correction of the SQL injection flaw, such as through patching the vulnerable Mobile Shop Management System.

detect

RA-5 requires vulnerability scanning that can detect the SQL injection vulnerability in the /insertmessage.php endpoint prior to exploitation.

References