CVE-2025-2654
Published: 23 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-2654 is a critical SQL injection vulnerability in SourceCodester AC Repair and Services System 1.0, affecting an unknown part of the file /admin/services/manage_service.php through manipulation of the ID argument. Published on 2025-03-23T16:15:13.840, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability enables remote exploitation by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads.
Advisories and exploit details are documented in references including VulDB entries (ctiid.300669, id.300669, submit.520013), a GitHub repository at Colorado-all/cve containing an exploit PoC (SQL-4.md), and the SourceCodester website. No specific patch or mitigation guidance is detailed in the initial disclosure.
The exploit has been publicly disclosed and may be used in real-world attacks against exposed instances of the affected system.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote SQL injection in public-facing web application (/admin/services/manage_service.php) enables initial access via exploitation of public-facing application (T1190), unauthorized data collection from backend databases (T1213.006), and manipulation/corruption of stored database data (T1565.001).