CVE-2025-7801 is a critical SQL Injection vulnerability identified in BossSoft CRM version 6.0, specifically within the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The vulnerability arises from improper sanitization of the 'cstid' parameter, which can be manipulated remotely without authentication or user interaction to inject malicious SQL commands. This flaw allows an attacker to interfere with the backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the CRM database. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector that is network-based, requiring no privileges or user interaction, and causing low to medium impact on confidentiality, integrity, and availability. Although no public exploits are currently known to be in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation. The vulnerability affects an unknown functionality within the specified JSP file, which suggests that the affected feature might be a custom or less documented search or query function within the CRM. Given the nature of SQL Injection, attackers could leverage this to extract sensitive customer data, modify records, or disrupt CRM operations, which are critical for business processes and customer relationship management.

For European organizations using BossSoft CRM 6.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and business data. Compromise of CRM data can lead to exposure of personally identifiable information (PII), trade secrets, and strategic business information, which may violate GDPR and other data protection regulations, resulting in legal and financial penalties. Additionally, disruption or manipulation of CRM data can impair sales, marketing, and customer support functions, causing operational downtime and reputational damage. The remote and unauthenticated nature of the exploit increases the threat landscape, as attackers can attempt exploitation without needing internal access or user interaction. Organizations in sectors with high regulatory scrutiny or handling sensitive customer data, such as finance, healthcare, and telecommunications, are particularly vulnerable. The medium CVSS score reflects moderate impact, but the critical classification by the vendor and the public disclosure of exploit details warrant urgent attention.

European organizations should immediately conduct a thorough audit of their BossSoft CRM 6.0 deployments to identify exposure to the vulnerable JSP endpoint. Since no official patches are currently available, organizations should implement the following specific mitigations: 1) Apply Web Application Firewall (WAF) rules tailored to detect and block SQL Injection attempts targeting the 'cstid' parameter, including patterns of SQL syntax and anomalous input lengths or characters. 2) Employ input validation and sanitization at the application layer, if source code access is possible, to enforce strict parameter type and length constraints. 3) Restrict network access to the CRM application to trusted IP ranges and enforce VPN or zero-trust access models to reduce exposure. 4) Monitor CRM logs for unusual query patterns or errors indicative of injection attempts. 5) Prepare for rapid patch deployment by maintaining close contact with BossSoft for forthcoming security updates. 6) Conduct internal penetration testing focusing on the vulnerable endpoint to assess exploitability and impact. 7) Educate IT and security teams about this vulnerability to ensure timely detection and response.