SQL Injection Vulnerability in BEIMS Contractor Web by FMI Works
CVE-2025-10460

9.4CRITICAL

Key Information:

Vendor: Beims
Status: Contractor Web
Vendor: CVE Published:; 17 November 2025

What is CVE-2025-10460?

The vulnerability present in BEIMS Contractor Web arises from a SQL Injection flaw on the /BEIMSWeb/contractor.asp endpoint, which allows unauthorized users to access sensitive database information. Due to inadequate input validation through unsanitized parameter input, attackers can execute arbitrary SQL commands if this endpoint is accessible via the internet. This poses a significant risk to the database's confidentiality, integrity, and availability. As BEIMS Contractor Web is a legacy product that no longer receives maintenance or security patches from FMI Works, users are encouraged to assume that all versions, including those unverified, may be vulnerable until further vendor guidance is provided.

Affected Version(s)

Contractor Web 5.7

References

https://help.fmiworks.com/knowledge/beims-web

https://help.fmiworks.com/knowledge/contractor-web-operat...

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2025
Vulnerability Reserved
Sep 15, 2025

Credit

Nicholas Page

JSON