CVE-2025-10664: Phpgurukul Small CRM SQLi Vulnerability

CVE-2025-10664 Overview

A SQL Injection vulnerability has been identified in PHPGurukul Small CRM version 4.0. The vulnerability exists within the /create-ticket.php file, where improper handling of the subject argument allows attackers to inject malicious SQL commands. This flaw can be exploited remotely without authentication, potentially allowing unauthorized access to sensitive database information, data manipulation, or system compromise.

Critical Impact
Remote attackers can exploit this SQL Injection vulnerability to extract, modify, or delete data from the underlying database, potentially compromising all customer relationship management data stored in the application.

Affected Products

PHPGurukul Small CRM 4.0
Applications using phpgurukul:small_crm component

Discovery Timeline

September 18, 2025 - CVE-2025-10664 published to NVD
September 19, 2025 - Last updated in NVD database

Technical Details for CVE-2025-10664

Vulnerability Analysis

This SQL Injection vulnerability affects the ticket creation functionality in PHPGurukul Small CRM 4.0. The application fails to properly sanitize user-supplied input in the subject parameter before incorporating it into SQL queries. This lack of input validation creates a classic SQL Injection attack surface that can be exploited remotely over the network.

The vulnerability requires no authentication or user interaction to exploit, making it particularly dangerous for exposed instances of the CRM application. Successful exploitation could allow attackers to bypass authentication mechanisms, extract sensitive customer data, modify records, or potentially achieve further system compromise depending on database permissions.

Root Cause

The root cause of this vulnerability is the failure to implement proper input validation and parameterized queries (prepared statements) in the /create-ticket.php file. The application directly concatenates user-controlled input from the subject argument into SQL queries without sanitization or escaping, violating secure coding practices for database interactions. This represents a CWE-89 (SQL Injection) weakness, which falls under the broader category of CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Attack Vector

The attack can be launched remotely over the network against vulnerable PHPGurukul Small CRM installations. An attacker would craft a malicious HTTP request to the /create-ticket.php endpoint containing SQL injection payloads in the subject parameter. The exploit has been publicly disclosed, increasing the risk of exploitation in the wild.

The vulnerability allows manipulation through standard SQL injection techniques. Attackers can leverage this flaw to:

Extract database contents using UNION-based or error-based injection
Bypass authentication controls
Modify or delete existing records
Potentially execute operating system commands if database permissions allow

Technical details regarding this vulnerability can be found in the GitHub Issue Tracker and the VulDB entry #324785.

Detection Methods for CVE-2025-10664

Indicators of Compromise

Unusual SQL syntax or special characters in web server logs for /create-ticket.php requests
Unexpected database queries containing UNION SELECT, OR 1=1, or other SQL injection patterns
Anomalous access to database tables containing sensitive CRM data
Error messages in application logs indicating SQL syntax errors from malformed queries

Detection Strategies

Monitor HTTP request logs for suspicious payloads in the subject parameter targeting /create-ticket.php
Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns
Configure database auditing to alert on unusual query patterns or data extraction attempts
Deploy application security monitoring to detect exploitation attempts in real-time

Monitoring Recommendations

Enable detailed logging for the PHPGurukul Small CRM application and associated database
Configure alerts for high-volume or failed authentication attempts following ticket creation requests
Monitor for data exfiltration indicators such as large result sets or unusual database read patterns
Review access logs regularly for requests containing encoded or obfuscated SQL injection payloads

How to Mitigate CVE-2025-10664

Immediate Actions Required

Restrict network access to PHPGurukul Small CRM instances to trusted IP addresses only
Implement a Web Application Firewall (WAF) with SQL injection detection rules in front of the application
Review database user permissions and apply the principle of least privilege
Monitor the application for exploitation attempts while awaiting a vendor patch
Consider temporarily disabling the ticket creation functionality if not business-critical

Patch Information

At the time of publication, no official patch has been released by the vendor for this vulnerability. Organizations should monitor the PHP Gurukul website for security updates. Until a patch becomes available, implementing the recommended workarounds and detection strategies is strongly advised.

For additional vulnerability intelligence, refer to:

Workarounds

Deploy a Web Application Firewall configured to block SQL injection patterns in HTTP parameters
Implement custom input validation on the web server to sanitize the subject parameter before it reaches the application
Restrict database user permissions for the CRM application to read-only where possible
Isolate the CRM application in a network segment with restricted access
Consider using a reverse proxy with request filtering capabilities to inspect and sanitize incoming traffic

bash

# Example: ModSecurity WAF rule to detect SQL injection in the subject parameter
SecRule ARGS:subject "@detectSQLi" \
    "id:100001,\
    phase:2,\
    block,\
    msg:'SQL Injection attempt detected in subject parameter',\
    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
    severity:'CRITICAL'"