CVE-2025-10390 is a medium-severity vulnerability affecting CRMEB versions up to 5.6.1, specifically within the editAddress function located in the app/services/user/UserAddressServices.php file. The vulnerability arises from improper authorization controls when manipulating the argument ID parameter. This flaw allows an attacker to remotely exploit the system by crafting requests that alter the ID argument, potentially enabling unauthorized modification of user address data. The vulnerability does not require user interaction and can be exploited over the network without authentication, though it requires low privileges (PR:L) indicating some level of access is needed. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects that the attack is network-based with low complexity, no user interaction, and partial impact on confidentiality, integrity, and availability. The vendor has not responded to the disclosure, and no official patches are currently available. Although no known exploits in the wild have been reported, public exploit code is available, increasing the risk of exploitation. This vulnerability could allow attackers to manipulate user address information, potentially leading to data integrity issues, unauthorized data disclosure, or further escalation depending on the CRMEB deployment context.

For European organizations using CRMEB versions 5.6.0 or 5.6.1, this vulnerability poses a risk to the integrity and confidentiality of customer data managed within the CRM system. Unauthorized modification of address data could lead to fraudulent activities, misdirected communications, or compliance violations under GDPR due to inaccurate personal data handling. The ability to exploit this remotely without user interaction increases the threat surface, especially for organizations exposing CRMEB services to the internet or internal networks with insufficient segmentation. The lack of vendor response and absence of patches means organizations must rely on compensating controls to mitigate risk. If exploited, this vulnerability could undermine trust in customer data management processes and potentially facilitate further attacks leveraging compromised user information. The medium severity rating suggests a moderate but tangible risk that should be addressed promptly to avoid escalation.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Restrict network access to CRMEB services, limiting exposure to trusted internal networks and VPNs only. 2) Implement strict access controls and monitoring on the editAddress function usage, including logging and anomaly detection for unusual ID parameter manipulations. 3) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the editAddress endpoint, especially those attempting to manipulate ID parameters. 4) Conduct thorough code reviews and, if feasible, apply temporary code-level fixes or input validation to enforce proper authorization checks on the ID argument. 5) Educate administrators and users about the vulnerability and encourage prompt reporting of suspicious activity. 6) Monitor threat intelligence feeds for any emerging exploits or vendor patches to apply updates immediately upon release. 7) Consider isolating CRMEB instances or deploying them in segmented environments to limit lateral movement if compromised.