CVE-2025-64489

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE

SuiteCRM 7.14.7及之前版本

SuiteCRM 8.0.0-beta.1至8.9.0版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

暂无公开PoC代码

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64489
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64489
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64489/
[4] VulDB https://vuldb.com/cve/CVE-2025-64489
[5] https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131
[6] https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d
[7] https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64489", "sourceIdentifier": "[email protected]", "published": "2025-11-08T01:15:38.607", "lastModified": "2025-11-25T17:31:42.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de Gestión de Relaciones con Clientes (CRM) de código abierto y lista para empresas. Las versiones 7.14.7 y anteriores, 8.0.0-beta.1 hasta la 8.9.0, contienen una vulnerabilidad de escalada de privilegios donde las sesiones de usuario no se invalidan tras la desactivación de la cuenta. Un usuario inactivo con una sesión activa puede seguir accediendo a la aplicación y, críticamente, puede reactivar su propia cuenta. Esto socava los controles administrativos y permite la persistencia no autorizada. Este problema se ha solucionado en las versiones 7.14.8 y 8.9.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.14.8", "matchCriteriaId": "37968BEF-2577-4B8F-AE06-8C9DCEB9C84B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.1", "matchCriteriaId": "5DFDEB5D-4821-41F8-AEBB-38D394739DDE"}]}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}