CVE-2025-69565
Published: 27 January 2026
Summary
CVE-2025-69565 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fabian Mobile Shop Management System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the unrestricted file upload by enforcing validation mechanisms on file types, extensions, and content in /ExAddProduct.php to block dangerous uploads.
Remediates the specific flaw in the code-projects Mobile Shop Management System 1.0 by identifying, patching, and deploying fixes for the vulnerable /ExAddProduct.php component.
Enforces logical access controls to require authentication and authorization for the /ExAddProduct.php endpoint, mitigating the no-privileges-required (PR:N) aspect of the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app (ExAddProduct.php) directly enables T1190 for unauthenticated RCE and T1505.003 for web shell deployment.
NVD Description
code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php.
Deeper analysisAI
CVE-2025-69565 affects code-projects Mobile Shop Management System 1.0, specifically through an unrestricted file upload vulnerability in the /ExAddProduct.php component. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows attackers to upload arbitrary files without sufficient validation. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Remote attackers require no authentication or privileges (PR:N) to exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables uploading malicious files, potentially leading to severe outcomes such as remote code execution, data compromise, or system disruption, given the high impact ratings across all three CIA triad categories (C:H/I:H/A:H) without scope change (S:U).
Advisories and additional details on mitigation are available in the referenced sources, including a GitHub Gist at https://gist.github.com/lih28984-commits/81d523afde3b122c652f652bab808e33 and a Gitee issue at https://gitee.com/Z_180yc/zyy/issues/IDCFAQ.
Details
- CWE(s)