CVE Alert: CVE-2025-10079 – PHPGurukul – Small CRM

Risk verdict

High risk: unauthenticated remote SQL injection with a publicly disclosed exploit; patching should be treated as urgent.

Why this matters

Direct access to get-quote.php allows manipulation of the Contact parameter to exfiltrate or alter database content. The vulnerability affects a CRM component, meaning customer data exposure or tampering could impact trust, compliance, and revenue. The presence of a publicly available exploit raises the likelihood of automated attacks against exposed deployments.

Most likely attack path

An external attacker can reach get-quote.php over the network, supply crafted Contact input, and trigger SQL injection without authentication. The CVSS signals remote access, low user interaction, and no privileges required, with modest but persistent impact on confidentiality, integrity, and availability. If successful, attackers may read or modify data and potentially leverage compromised credentials or connections for further access within the application stack.

Who is most exposed

Any organisation running PHPGurukul Small CRM 4.0 on publicly reachable hosts, especially in shared hosting or poorly segmented environments, is at risk. Unpatched test, staging, or dev instances exposed to the internet also present vulnerable entry points.

Detection ideas

• Logs show suspicious Contact values in GET parameters to /get-quote.php (e.g., classic SQLi patterns).
• Database error messages or syntax errors logged around /get-quote.php requests.
• Unusual spikes in query latency or abnormal data returned from the CRM DB.
• WAF/IDS alerts for SQLi payloads targeting PHP CGI endpoints.
• Increased failed or unexpected authentication/authorization events tied to the CRM endpoint.

Mitigation and prioritisation

• Apply vendor patch or upgrade to latest Small CRM version; validate patch in staging first.
• If patch isn’t available, implement input validation and parameterised queries (prepared statements) for all DB calls; remove dynamic SQL construction.
• Deploy WAF rules targeting SQLi patterns and restrict access to get-quote.php to trusted networks.
• Review and harden DB credentials, rotate where appropriate, and segregate CRM DB from other services.
• Change-management: test regression impact, monitor logs for repeat attempts post-deployment.
• Note: KEV/EPSS data is not provided; due to public exploit, escalate to high priority while awaiting additional exploitation likelihood indicators.