CVE-2025-10390 is a medium-severity vulnerability affecting CRMEB versions up to 5.6.1, specifically within the editAddress function located in the app/services/user/UserAddressServices.php file. The vulnerability arises due to improper authorization checks when handling the ID argument. An attacker can manipulate this ID parameter remotely to bypass authorization controls, potentially allowing unauthorized modification of user address data. The vulnerability does not require user interaction and can be exploited over the network with low attack complexity. The CVSS 4.0 vector indicates no privileges are required (PR:L means low privileges), no user interaction is needed, and the attack impacts confidentiality, integrity, and availability to a limited extent. Although the vendor was notified early, there has been no response or patch released at the time of disclosure. Public exploit code is available, increasing the risk of exploitation. The lack of a patch and vendor engagement means organizations using affected CRMEB versions remain exposed. CRMEB is a customer relationship management system, often used by businesses to manage client data and interactions, making the integrity and confidentiality of stored addresses critical. Improper authorization in this context could lead to unauthorized data modification, potentially facilitating fraud, data corruption, or further privilege escalation if combined with other vulnerabilities.

For European organizations using CRMEB versions 5.6.0 or 5.6.1, this vulnerability poses a tangible risk to the confidentiality and integrity of customer data. Unauthorized modification of address information could lead to misdirected communications, fraudulent transactions, or reputational damage. In sectors such as finance, retail, or healthcare, where CRM data is tightly linked to sensitive personal information, the impact could extend to regulatory non-compliance under GDPR, resulting in legal and financial penalties. The remote exploitability and availability of public exploit code increase the likelihood of attacks, especially against organizations that have not applied mitigations or workarounds. While availability impact is limited, the integrity compromise could disrupt business operations and customer trust. The absence of vendor patches means organizations must rely on alternative mitigation strategies to reduce exposure.

Given the lack of an official patch, European organizations should implement the following specific mitigations: 1) Conduct an immediate audit of CRMEB installations to identify affected versions (5.6.0 and 5.6.1). 2) Restrict network access to the CRMEB application, limiting it to trusted IP ranges and internal networks only, to reduce remote attack surface. 3) Implement web application firewall (WAF) rules to detect and block suspicious requests manipulating the ID parameter in the editAddress function. 4) Enforce strict access controls and monitoring on user address modification functions, including logging and alerting on anomalous changes. 5) Where possible, apply custom authorization checks at the application or database layer to validate user permissions before processing address edits. 6) Prepare for an upgrade plan to a future patched version once available, and monitor vendor communications closely. 7) Educate internal teams about the vulnerability and encourage vigilance for unusual CRM activity. These targeted steps go beyond generic advice by focusing on access restriction, monitoring, and compensating controls specific to the vulnerability's exploitation vector.