CVE-2025-69564
Published: 27 January 2026
Summary
CVE-2025-69564 is a critical-severity Code Injection (CWE-94) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-69564, published on 2026-01-27, is a SQL injection vulnerability (CWE-94) in the code-projects Mobile Shop Management System version 1.0. The issue resides in the /ExAddNewUser.php component, where the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters fail to properly sanitize user input, allowing injection of malicious SQL code.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as extracting sensitive data from the database, modifying user records, or disrupting system operations.
Advisories and further details on mitigation are available in the referenced sources: https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f and https://gitee.com/Z_180yc/zyy/issues/IDCEJP.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206391
Vulnerability details
code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in a web application component (/ExAddNewUser.php) enables unauthenticated attackers to exploit a public-facing app for data access/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user inputs like Name, Address, email, UserName, Password, and others in /ExAddNewUser.php to prevent SQL injection exploitation.
Mandates identification, reporting, and timely remediation of the SQL injection flaw in /ExAddNewUser.php to eliminate the vulnerability.
Requires vulnerability scanning that would identify the SQL injection vulnerability in /ExAddNewUser.php in the Mobile Shop Management System.