CVE-2025-7172 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Crime Reporting System, specifically within the /headlogin.php file. The vulnerability arises from improper sanitization or validation of the 'email' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw, an attacker can manipulate backend SQL queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector highlighting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The absence of patches or mitigations from the vendor at this time further elevates the risk for users of this system. Given that the Crime Reporting System is likely used by law enforcement or related agencies to manage sensitive crime data, the exploitation of this vulnerability could lead to exposure of confidential information, manipulation of crime reports, or disruption of critical public safety operations.

For European organizations, particularly law enforcement agencies, government bodies, and public safety departments using the code-projects Crime Reporting System 1.0, this vulnerability poses significant risks. Successful exploitation could lead to unauthorized disclosure of sensitive crime data, undermining investigations and compromising victim privacy. Data integrity could be affected, allowing attackers to alter crime reports or evidence records, which could have legal and operational consequences. Availability impacts, while limited, could disrupt access to the system, delaying critical response actions. Additionally, exploitation could erode public trust in law enforcement IT infrastructure. Given the critical nature of crime reporting systems in maintaining public safety and legal processes, the vulnerability could have cascading effects on national security and judicial proceedings within European countries. The medium CVSS score suggests that while exploitation is feasible, the overall impact is somewhat contained, but the sensitivity of the data involved elevates the practical severity.

Organizations should immediately audit their deployments of the code-projects Crime Reporting System to identify any instances of version 1.0 in use. Since no official patches are currently available, temporary mitigations include implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'email' parameter in /headlogin.php. Input validation and sanitization should be enforced at the application level, ideally by applying parameterized queries or prepared statements if source code access is available. Network segmentation and strict access controls should be applied to limit exposure of the vulnerable system to untrusted networks. Monitoring and logging of all access attempts to the affected endpoint should be enhanced to detect potential exploitation attempts. Organizations should also engage with the vendor or community for updates or patches and plan for an immediate upgrade once a fix is released. Conducting penetration testing focused on SQL injection vectors can help identify residual risks. Finally, sensitive data should be encrypted at rest and in transit to mitigate data exposure risks in case of compromise.