CVE-2025-7186
Published: 08 July 2025
Summary
CVE-2025-7186 is a low-severity Injection (CWE-74) vulnerability in Fabian Chat System. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-7186 is a SQL injection vulnerability in code-projects Chat System 1.0, published on 2025-07-08. The issue affects unknown processing in the file /user/fetch_chat.php, where manipulation of the ID argument enables the injection. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it maps to CWE-74 and CWE-89.
A remote attacker can exploit this vulnerability by manipulating the ID parameter in /user/fetch_chat.php. Exploitation requires low privileges (PR:L), low attack complexity, and no user interaction, allowing network-based initiation. Successful attacks result in low impacts to confidentiality, integrity, and availability.
Advisories referenced on VulDB (ctiid.315125, id.315125, submit.607195) and a GitHub repository (LamentXU123/cve/sql_fetch_chat.md) provide further details, while the project site is at code-projects.org. The exploit has been disclosed publicly and may be used, with no specific patch or mitigation steps detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20675
Vulnerability details
A vulnerability was found in code-projects Chat System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/fetch_chat.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated…
more
remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a publicly accessible web application (/user/fetch_chat.php) directly enables remote exploitation of a public-facing service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the ID parameter in fetch_chat.php to block SQL injection payloads before they reach the database.
Enforces least privilege so that only the minimal database permissions are granted to the chat-system account, limiting the impact of a successful ID-based injection.
Enables monitoring of database query patterns and anomalies originating from /user/fetch_chat.php to identify exploitation attempts in progress.