CVE Alert: CVE-2025-10114 – PHPGurukul – Small CRM
CVE-2025-10114
A vulnerability was found in PHPGurukul Small CRM 4.0. Affected by this issue is some unknown functionality of the file /profile.php. The manipulation of the argument Name results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.
AI Summary Analysis
Risk verdict
High risk: remote, unauthenticated SQL injection with a publicly available exploit makes automated exploitation highly likely.
Why this matters
In a Small CRM, an attacker can exfiltrate or modify customer data, credentials, or records, with potential regulatory and reputational impact. The public availability of the exploit lowers the bar for attackers and can enable rapid automated campaigns against exposed deployments.
Most likely attack path
No authentication required, exploiting via /profile.php with crafted Name input (AV:N, AC:L, UI:N). The attacker can trigger data leakage or modification with low complexity; lateral movement is unlikely beyond the application’s database due to scope restrictions, but data disclosure or tampering within the CRM is plausible.
Who is most exposed
Publicly reachable, self-hosted PHP-based Small CRM instances are the primary risk; any organisation running 4.0 on internet-facing infrastructure without strong WAF, input validation, or DB access controls is affected.
Detection ideas
- Unusual or malformed input patterns to the Name parameter in profile.php; SQL syntax fragments in logs.
- Database error messages appearing in application logs or responses.
- Elevated query latency or unusual DB activity around profile retrieval/update.
- WAF/IDS alerts for SQLi payloads targeting profile.php.
- Repeated failed or anomalous login or data access attempts from unfamiliar IPs.
Mitigation and prioritisation
- Apply available patch or upgrade to a fixed release; verify vendor advisory and test in staging.
- Enforce parameterised queries and strong input validation for all user inputs, especially Name in profile.php.
- Restrict DB privileges of the web-app account; use least privilege and separate read/write roles.
- Deploy or tune a web application firewall to block common SQLi patterns; enable logging and alerting.
- Change-management: schedule deployment with back-out plan; monitor for data exfiltration indicators post-patch. If KEV true or EPSS ≥ 0.5 were known, escalate to priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
