Cyber Resilience

CVE-2025-69565

CriticalPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69565 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-69565 affects code-projects Mobile Shop Management System 1.0, specifically through an unrestricted file upload vulnerability in the /ExAddProduct.php component. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows attackers to upload arbitrary files without sufficient validation. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Remote attackers require no authentication or privileges (PR:N) to exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables uploading malicious files, potentially leading to severe outcomes such as remote code execution, data compromise, or system disruption, given the high impact ratings across all three CIA triad categories (C:H/I:H/A:H) without scope change (S:U).

Advisories and additional details on mitigation are available in the referenced sources, including a GitHub Gist at https://gist.github.com/lih28984-commits/81d523afde3b122c652f652bab808e33 and a Gitee issue at https://gitee.com/Z_180yc/zyy/issues/IDCFAQ.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing web app (ExAddProduct.php) directly enables T1190 for unauthenticated RCE and T1505.003 for web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69564Same product: Fabian Mobile Shop Management System
CVE-2025-69563Same product: Fabian Mobile Shop Management System
CVE-2025-69562Same product: Fabian Mobile Shop Management System
CVE-2024-57668Same vendor: Fabian
CVE-2025-70151Same vendor: Fabian
CVE-2026-1423Same vendor: Fabian
CVE-2025-7190Same vendor: Fabian
CVE-2026-2213Same vendor: Fabian
CVE-2026-2133Same vendor: Fabian
CVE-2025-0335Same vendor: Fabian

Affected Assets

fabian
mobile shop management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the unrestricted file upload by enforcing validation mechanisms on file types, extensions, and content in /ExAddProduct.php to block dangerous uploads.

prevent

Remediates the specific flaw in the code-projects Mobile Shop Management System 1.0 by identifying, patching, and deploying fixes for the vulnerable /ExAddProduct.php component.

prevent

Enforces logical access controls to require authentication and authorization for the /ExAddProduct.php endpoint, mitigating the no-privileges-required (PR:N) aspect of the vulnerability.

References