CVE-2025-10664 is a SQL Injection vulnerability identified in PHPGurukul Small CRM version 4.0, specifically within the /create-ticket.php file. The vulnerability arises from improper sanitization or validation of the 'subject' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring authentication or user interaction, by injecting crafted SQL commands through the 'subject' argument. This can lead to unauthorized access, data leakage, or modification of the underlying database. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. The vulnerability does not require any special conditions such as authentication or user interaction, making it easier for attackers to exploit. Given the nature of CRM systems, which typically store sensitive customer and business data, exploitation could result in significant data breaches or operational disruptions.

For European organizations using PHPGurukul Small CRM 4.0, this vulnerability poses a tangible risk to the confidentiality and integrity of customer and business data. Successful exploitation could lead to unauthorized data access, data corruption, or deletion, potentially causing regulatory compliance issues under GDPR due to exposure of personal data. The availability of the CRM system could also be affected if attackers manipulate the database to disrupt normal operations. This could impact customer service, sales tracking, and internal workflows, leading to financial and reputational damage. Since the vulnerability can be exploited remotely without authentication, attackers could target European organizations from anywhere, increasing the threat landscape. Organizations relying on this CRM for critical business functions should consider the risk of data breaches and operational interruptions significant, especially if no mitigations are in place.

1. Immediate application of patches or updates from PHPGurukul once available is the most effective mitigation. Since no patch links are currently provided, organizations should monitor vendor communications closely. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'subject' parameter in /create-ticket.php. 3. Conduct thorough input validation and sanitization on all user-supplied data, especially the 'subject' field, using parameterized queries or prepared statements to prevent SQL injection. 4. Perform security audits and code reviews focusing on database interaction points within the CRM application. 5. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. 6. Monitor logs for unusual database queries or errors that may indicate attempted exploitation. 7. If immediate patching is not possible, consider isolating the CRM system from direct internet exposure or implementing VPN access controls to reduce attack surface. 8. Educate IT and security teams about this vulnerability and ensure incident response plans include steps for SQL injection incidents.