High severity7.3NVD Advisory· Published Sep 19, 2025· Updated Apr 29, 2026

CVE-2025-10712

Description

A vulnerability was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This issue affects some unknown processing of the file /index.php/Login/login. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in 07FLYCMS login allows unauthenticated remote attackers to bypass authentication and gain unauthorized access.

Root

Cause The vulnerability exists in the /index.php/Login/login endpoint of 07FLYCMS (also known as 07FLY-CMS and 07FlyCRM) versions up to 20250831. The Username parameter in POST requests is not properly validated or sanitized, allowing SQL injection. The unsanitized input is directly incorporated into backend database queries, enabling attackers to manipulate the query logic [1].

Exploitation

Exploitation requires no authentication and can be performed remotely. An attacker sends a crafted HTTP POST request to the login endpoint with a malicious SQL payload (e.g., 1' or 1=1 --) in the username field and any arbitrary password. The server executes the manipulated query, bypassing the authentication check [1]. The exploit has been publicly disclosed, increasing the risk of widespread attacks.

Impact

Successful exploitation allows an attacker to bypass the legitimate login process and gain unauthorized access to the system without valid credentials. This can lead to full administrative control, enabling attackers to view, modify, or steal sensitive business data such as customer information, sales records, and financial data. Additionally, attackers can alter system configurations and disrupt normal business operations [1].

Mitigation

The vendor was contacted but did not respond, and no official patch or workaround has been released. Users should consider hardening the affected system by implementing input validation and parameterized queries, or migrating to a supported alternative if the product is end-of-life.

References

# 07FLY Customer Management System V1.0 /index.php/Login/login SQL Injection Vulnerability (Authentication Bypass)

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

07fly/07FLYCMSllm-fuzzy
Range: <=20250831
07fly/07FlyCRMllm-fuzzy
Range: <=20250831

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2025-10712