CVE-2025-0294

MediumPublic PoC

Published: 07 January 2025

Published

07 January 2025

Modified

29 April 2025

KEV Added

—

Patch

—

CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0014 33.9th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-0294 is a SQL injection vulnerability classified as critical in SourceCodester Home Clean Services Management System 1.0. The flaw affects an unknown functionality in the file /public_html/admin/process.php, where manipulation of the arguments type, length, and business enables the injection. Mapped to CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-07.

The vulnerability allows remote exploitation over the network with low complexity but requires high privileges. Attackers can achieve limited impacts on confidentiality, integrity, and availability through SQL injection, potentially affecting other parameters as well.

Advisories reference a public exploit disclosure on GitHub detailing the SQL injection in process.php, along with VulDB entries (ctiid.290443, id.290443, submit.475076). The vendor site at sourcecodester.com is also listed, though specific patch or mitigation details are not outlined in the CVE description.

The exploit has been disclosed to the public and may be used.

Details

CWE(s): CWE-74CWE-89

Affected Products

acetech

home clean services management system

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in /admin/process.php enables exploitation of public-facing web applications (T1190), abuse of server software components for code execution (T1505 as cited in advisory), and collection of data from databases (T1213.006).

References

https://github.com/xiaosguang/cve/blob/main/Home%20Clean%20Services%20Management/Home%20Clean%20Services%20Management%20System%20process.php%20id%20SQL%20injection.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.290443
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.290443
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.475076
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.sourcecodester.com/
Product · cna@vuldb.com
https://github.com/xiaosguang/cve/blob/main/Home%20Clean%20Services%20Management/Home%20Clean%20Services%20Management%20System%20process.php%20id%20SQL%20injection.md
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0