CVE-2025-64084 is an authenticated SQL injection vulnerability identified in Cloudlog version 2.7.5 and earlier. The root cause lies in the vucc_details_ajax function within the application/controllers/Awards.php file, where the Gridsquare POST parameter supplied by the user is not properly sanitized before being used in the vucc_qso_details function. This function concatenates the user input directly into a raw SQL query, violating secure coding practices and enabling SQL injection attacks. An attacker with valid authentication credentials but potentially low privileges can exploit this flaw to execute arbitrary SQL commands against the backend database. This could lead to unauthorized reading or modification of data, potentially compromising confidentiality and integrity of stored information. The vulnerability does not require user interaction beyond authentication and has a CVSS 3.1 base score of 5.4, reflecting medium severity. The attack vector is network-based (remote), with low attack complexity and no user interface required. The scope is unchanged, meaning the vulnerability affects only the vulnerable component without impacting other components. There are no known public exploits at this time, and no patches have been linked yet, indicating organizations should monitor for updates and consider interim mitigations. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and well-understood injection flaw.

For European organizations using Cloudlog, especially amateur radio clubs, hobbyists, or institutions relying on this software for logging and awards management, this vulnerability poses a risk of unauthorized data access and manipulation. The SQL injection could allow attackers to extract sensitive user data, alter records, or corrupt the database, undermining data integrity and confidentiality. While availability impact is not indicated, the integrity and confidentiality breaches could lead to loss of trust, reputational damage, and potential regulatory compliance issues under GDPR if personal data is involved. The requirement for authentication limits the attack surface but does not eliminate risk, particularly if credentials are weak or compromised. Organizations with multiple users or public-facing Cloudlog instances are at higher risk. Given the niche nature of Cloudlog, the impact is more concentrated but still significant for affected communities and organizations in Europe.

Organizations should immediately review user access controls to ensure only trusted users have authentication credentials to Cloudlog. Implement strong password policies and consider multi-factor authentication if supported. Monitor and restrict access to the vucc_details_ajax endpoint where possible, using web application firewalls (WAFs) to detect and block suspicious SQL injection patterns targeting the Gridsquare parameter. Until an official patch is released, consider applying input validation or sanitization at the web server or application proxy level to filter out malicious payloads. Regularly audit database logs for unusual queries or activities indicative of injection attempts. Backup databases frequently to enable recovery in case of data corruption. Engage with Cloudlog developers or community to track patch releases and apply updates promptly once available. Educate users about the risks of credential compromise and enforce least privilege principles to minimize potential damage from authenticated attackers.