Cyber Resilience

CVE-2025-69564

CriticalPublic PoCRCE

Published: 27 January 2026

Published
27 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69564 is a critical-severity Code Injection (CWE-94) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-69564, published on 2026-01-27, is a SQL injection vulnerability (CWE-94) in the code-projects Mobile Shop Management System version 1.0. The issue resides in the /ExAddNewUser.php component, where the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters fail to properly sanitize user input, allowing injection of malicious SQL code.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as extracting sensitive data from the database, modifying user records, or disrupting system operations.

Advisories and further details on mitigation are available in the referenced sources: https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f and https://gitee.com/Z_180yc/zyy/issues/IDCEJP.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in a web application component (/ExAddNewUser.php) enables unauthenticated attackers to exploit a public-facing app for data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69563Same product: Fabian Mobile Shop Management System
CVE-2025-69562Same product: Fabian Mobile Shop Management System
CVE-2025-69565Same product: Fabian Mobile Shop Management System
CVE-2026-1443Same vendor: Fabian
CVE-2026-0606Same vendor: Fabian
CVE-2026-0589Same vendor: Fabian
CVE-2026-2166Same vendor: Fabian
CVE-2026-0575Same vendor: Fabian
CVE-2026-0570Same vendor: Fabian
CVE-2026-2173Same vendor: Fabian

Affected Assets

fabian
mobile shop management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user inputs like Name, Address, email, UserName, Password, and others in /ExAddNewUser.php to prevent SQL injection exploitation.

prevent

Mandates identification, reporting, and timely remediation of the SQL injection flaw in /ExAddNewUser.php to eliminate the vulnerability.

detect

Requires vulnerability scanning that would identify the SQL injection vulnerability in /ExAddNewUser.php in the Mobile Shop Management System.

References