CVE-2025-10095 MEDIUM

CVE-2025-10095: SQL injection in SMPP component of SMSEagle firmware

Vendor Proximus Sp. Z O.o.

Product SMSEagle

Weakness CWE-89 · SQLi

Published September 9, 2025

Last update September 11, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A SQL injection vulnerability has been identified in the SMPP server component of the SMSEagle firmware, specifically affecting the handling of certain parameters within the server's database interactions. The vulnerability is isolated to the SMPP server, which operates with its own dedicated database, separate from the main software's database. This isolation limits the scope of the vulnerability to the SMPP server's operations. The vulnerability arises from improper sanitization of user input in the SMPP server's scripts. This issue has been fixed in version 6.11.

Key dates

02Disclosure timeline

September 9, 2025 CVE published

September 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-10095

Related vulnerabilities

CVE-2025-10095: SQL injection in SMPP component of SMSEagle firmware

01Description

02Disclosure timeline

03References

04Related CVE