VYPR
← All advisories
Medium severityNVD Advisory· Published Sep 9, 2025· Updated Apr 15, 2026

CVE-2025-10095

CVE-2025-10095

Description

A SQL injection vulnerability has been identified in the SMPP server component of the SMSEagle firmware, specifically affecting the handling of certain parameters within the server's database interactions. The vulnerability is isolated to the SMPP server, which operates with its own dedicated database, separate from the main software's database. This isolation limits the scope of the vulnerability to the SMPP server's operations. The vulnerability arises from improper sanitization of user input in the SMPP server's scripts.

This issue has been fixed in version 6.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A medium-severity SQL injection in SMSEagle's SMPP server affects firmware versions before 6.11, limited to a separate database. Patched in 6.11.

Vulnerability

Overview

A SQL injection vulnerability (CWE-89) has been identified in the SMPP server component of SMSEagle firmware. The bug stems from improper sanitization of user input in the server's scripts, allowing an attacker to inject arbitrary SQL commands into database queries [1][2].

Exploitation and

Attack Surface

The vulnerability is present only in the SMPP server, which uses its own dedicated database, isolated from the main software's database. This reduces the potential impact to SMPP-specific operations. An attacker can trigger the injection by sending crafted parameters to the SMPP server, requiring no authentication and with a CVSS vector of AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [2].

Impact

Successful exploitation could allow an attacker to access sensitive data stored in the SMPP server's database, leading to limited confidentiality breaches. The SMPP isolation ensures the main system database is not affected [1][2].

Mitigation

The vulnerability is resolved in SMSEagle version 6.11. Users should upgrade to this version or later to eliminate the risk. No workarounds have been provided [1][2].

References
  1. Vulnerability in SMSEagle devices
  2. Resolved SQL injection in SMPP component of SMSEagle software < 6.11 (CVE-2025-10095) | SMSEagle

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.