CVE-2025-10712 is a SQL Injection vulnerability identified in the 07FLYCMS family of products, including 07FLYCMS, 07FLY-CMS, and 07FlyCRM, affecting versions up to 20250831. The vulnerability resides in the /index.php/Login/login endpoint, specifically in the processing of the 'Username' parameter. An attacker can remotely manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is low to limited, suggesting that while data exposure or modification is possible, it may be constrained by the application's design or database permissions. The vendor was notified but did not respond, and no official patches are currently available. Although no known exploits are reported in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation by attackers. The product is distributed under multiple names, which may complicate detection and mitigation efforts.

For European organizations using 07FLYCMS or its variants, this vulnerability poses a tangible risk of unauthorized data access or manipulation through SQL Injection attacks. Given the remote exploitability without authentication, attackers could leverage this flaw to extract sensitive information such as user credentials, personal data, or business-critical information stored in the backend database. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and potential financial losses. The medium severity rating reflects a moderate risk; however, the lack of vendor response and patches increases the window of exposure. Organizations relying on these CMS or CRM platforms for web presence or customer management should be particularly vigilant. The impact is heightened in sectors with stringent data protection requirements or where the CMS/CRM contains sensitive customer or operational data.

Given the absence of official patches, European organizations should implement immediate compensating controls. These include: 1) Employing Web Application Firewalls (WAFs) configured to detect and block SQL Injection patterns targeting the login endpoint, especially the 'Username' parameter. 2) Conducting thorough input validation and sanitization at the application level to reject or neutralize malicious input, if source code access and modification are possible. 3) Restricting database user privileges to the minimum necessary, limiting the potential damage from successful injection. 4) Monitoring logs for unusual login attempts or SQL errors indicative of injection attempts. 5) Considering temporary removal or disabling of the vulnerable login functionality if feasible until a patch or vendor response is available. 6) Engaging in threat intelligence sharing with industry peers to stay informed about emerging exploits. 7) Planning migration to alternative, actively maintained CMS/CRM platforms if long-term vendor support is uncertain.