Cyber Posture

CVE-2025-69564

CriticalPublic PoCRCE

Published: 27 January 2026

Published
27 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69564 is a critical-severity Code Injection (CWE-94) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of user inputs like Name, Address, email, UserName, Password, and others in /ExAddNewUser.php to prevent SQL injection exploitation.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and timely remediation of the SQL injection flaw in /ExAddNewUser.php to eliminate the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Requires vulnerability scanning that would identify the SQL injection vulnerability in /ExAddNewUser.php in the Mobile Shop Management System.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct remote SQL injection in a web application component (/ExAddNewUser.php) enables unauthenticated attackers to exploit a public-facing app for data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters.

Deeper analysisAI

CVE-2025-69564, published on 2026-01-27, is a SQL injection vulnerability (CWE-94) in the code-projects Mobile Shop Management System version 1.0. The issue resides in the /ExAddNewUser.php component, where the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters fail to properly sanitize user input, allowing injection of malicious SQL code.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as extracting sensitive data from the database, modifying user records, or disrupting system operations.

Advisories and further details on mitigation are available in the referenced sources: https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f and https://gitee.com/Z_180yc/zyy/issues/IDCEJP.

Details

CWE(s)
CWE-94

Affected Products

fabian
mobile shop management system
1.0

CVEs Like This One

CVE-2025-69562Same product: Fabian Mobile Shop Management System
CVE-2025-69563Same product: Fabian Mobile Shop Management System
CVE-2025-69565Same product: Fabian Mobile Shop Management System
CVE-2026-2060Same vendor: Fabian
CVE-2025-7189Same vendor: Fabian
CVE-2026-0570Same vendor: Fabian
CVE-2026-2220Same vendor: Fabian
CVE-2026-2172Same vendor: Fabian
CVE-2026-2196Same vendor: Fabian
CVE-2025-0300Same vendor: Fabian

References