CVE-2025-7170 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Crime Reporting System, specifically within the /registration.php file. The vulnerability arises due to improper sanitization or validation of the 'Name' parameter, which can be manipulated by an attacker to inject malicious SQL commands. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries against the backend database without requiring any user interaction or privileges. The injection can lead to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability is remotely exploitable over the network, increasing the attack surface significantly. Although the CVSS 4.0 score is 6.9 (medium severity), the description classifies it as critical, reflecting the potential impact of SQL injection flaws. The CVSS vector indicates no authentication or user interaction is required, with low complexity, and partial impact on confidentiality, integrity, and availability. No official patches or mitigations have been published yet, and no known exploits are currently observed in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation.

For European organizations, especially those involved in law enforcement, public safety, or municipal services using the code-projects Crime Reporting System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive crime reports, personal data of victims or witnesses, and operational details, undermining privacy and legal compliance with GDPR. Data integrity could be compromised, allowing attackers to alter or delete crime records, which could disrupt investigations and judicial processes. Availability impacts could result in denial of service or system outages, affecting critical public safety functions. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, potentially by cybercriminals or state-sponsored actors targeting European public sector infrastructure. The lack of patches means organizations must rely on immediate mitigations to protect sensitive data and maintain trust in crime reporting systems.

European organizations should immediately implement input validation and sanitization controls on the 'Name' parameter within /registration.php, employing prepared statements or parameterized queries to prevent SQL injection. If source code modification is not feasible, deploying Web Application Firewalls (WAFs) with rules specifically targeting SQL injection patterns can provide temporary protection. Network segmentation and strict access controls should limit exposure of the Crime Reporting System to trusted networks only. Regular monitoring and logging of database queries and application logs should be enhanced to detect anomalous activities indicative of exploitation attempts. Organizations should prioritize upgrading to patched versions once available from the vendor or consider alternative secure platforms if remediation is delayed. Additionally, conducting security audits and penetration testing focused on injection flaws will help identify and mitigate similar vulnerabilities.