CVE-2025-10460 is a SQL Injection vulnerability classified under CWE-20 (Improper Input Validation) affecting BEIMS Contractor Web, specifically version 5.7.139. The vulnerability exists due to the failure to properly sanitize user-supplied input on the /BEIMSWeb/contractor.asp endpoint. This flaw allows unauthenticated attackers to inject arbitrary SQL commands directly into the backend database queries. Because the product is legacy and no longer maintained or patched by the vendor, no official fixes or updates are available, increasing the risk for users still running this software. Successful exploitation can lead to unauthorized data retrieval, modification, or deletion, impacting confidentiality, integrity, and availability of the database. The vulnerability requires the endpoint to be accessible over the internet, which is common in contractor-facing web applications. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:L/SA:N) indicates network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. While no exploits have been reported in the wild yet, the critical severity and ease of exploitation make this a high-risk vulnerability for affected organizations.

For European organizations, the impact of CVE-2025-10460 is significant. Organizations using BEIMS Contractor Web with internet-exposed contractor.asp endpoints risk unauthorized disclosure of sensitive contractor and project data, potentially including personal data protected under GDPR. The compromise of database integrity could lead to data tampering, affecting operational decisions and contractual obligations. Availability impacts, though rated lower, could disrupt contractor management workflows. The lack of vendor support means organizations cannot rely on official patches, increasing the likelihood of prolonged exposure. This vulnerability could also be leveraged as a foothold for further network intrusion or lateral movement. Industries with extensive contractor engagement such as construction, engineering, and facilities management in Europe are particularly vulnerable. Data breaches resulting from this vulnerability could lead to regulatory fines, reputational damage, and operational disruptions.

Given the absence of vendor patches, European organizations should implement compensating controls immediately. These include restricting internet exposure of the /BEIMSWeb/contractor.asp endpoint via firewall rules or VPN access only for trusted users. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting this endpoint. Conduct thorough input validation and sanitization at the application layer if source code access is available. Monitor logs for unusual database queries or access patterns indicative of exploitation attempts. Isolate the BEIMS Contractor Web system within segmented network zones to limit lateral movement. Consider migrating to supported contractor management solutions to eliminate reliance on legacy, unpatched software. Regularly back up databases and test restoration procedures to mitigate availability risks. Finally, raise user awareness about the risks of legacy software and enforce strict access controls.