CVE-2025-10095 is a medium-severity SQL injection vulnerability identified in the SMPP server component of the SMSEagle firmware developed by Proximus sp. z o.o. The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89), specifically due to inadequate sanitization of user inputs handled by the SMPP server's scripts. The SMPP server operates with a dedicated database separate from the main SMSEagle software database, which limits the scope of the vulnerability to the SMPP server's operations only. Exploitation of this vulnerability could allow an unauthenticated remote attacker to inject malicious SQL commands via crafted input parameters to the SMPP server, potentially leading to unauthorized data access or manipulation within the SMPP server's database. The CVSS 4.0 base score is 5.3, reflecting an attack vector requiring adjacent network access (AV:A), low attack complexity (AC:L), no privileges or user interaction needed, and limited impact on confidentiality and integrity. No known exploits are currently in the wild, and the issue has been addressed in SMSEagle firmware version 6.11. The vulnerability's isolation to the SMPP server database reduces the risk of broader system compromise, but given the critical role of SMPP servers in SMS message routing and delivery, exploitation could disrupt messaging services or leak sensitive SMS-related data.

For European organizations using SMSEagle devices with vulnerable SMPP server firmware, this vulnerability could lead to unauthorized access or manipulation of SMS routing data, potentially impacting the confidentiality and integrity of SMS communications. Organizations relying on SMSEagle for critical SMS-based notifications, two-factor authentication, or alerting systems may experience service disruptions or data leakage. Although the vulnerability does not directly affect the main SMSEagle database, attackers could leverage the SMPP server compromise to interfere with SMS message flows or gather sensitive metadata. This could have regulatory implications under GDPR if personal data is exposed. The medium severity and limited scope mean the impact is contained but still significant for organizations with high SMS communication dependency, such as telecom providers, financial institutions, or emergency services in Europe.

1. Immediate upgrade to SMSEagle firmware version 6.11 or later, which contains the fix for this SQL injection vulnerability. 2. Restrict network access to the SMPP server component to trusted hosts and networks only, using firewall rules or network segmentation to reduce the attack surface. 3. Implement monitoring and alerting on SMPP server logs for anomalous input patterns or SQL errors indicative of injection attempts. 4. Conduct regular security audits and penetration testing focused on SMPP server interfaces to detect potential injection vectors. 5. Employ Web Application Firewalls (WAFs) or SQL injection detection/prevention systems tailored to SMPP traffic if feasible. 6. Review and harden input validation and sanitization mechanisms in any custom scripts or integrations interacting with the SMPP server. 7. Ensure incident response plans include procedures for SMS infrastructure compromise scenarios.