Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64490

CVE-2025-64490: SuiteCRM Information Disclosure Flaw

CVE-2025-64490 is an information disclosure vulnerability in SuiteCRM that allows low-privileged users to bypass role restrictions and access restricted data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-64490 Overview

CVE-2025-64490 is a broken access control vulnerability [CWE-863] in SuiteCRM, an open-source Customer Relationship Management application. The flaw allows low-privileged authenticated users to view and create work items through the Resource Calendar and project screens. This bypass occurs even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. The vulnerability stems from inconsistent Access Control List (ACL) and Role-Based Access Control (RBAC) enforcement across modules and views. Affected versions include SuiteCRM 7.14.7 and prior, and 8.0.0-beta.1 through 8.9.0. SalesAgility fixed the issue in versions 7.14.8 and 8.9.1.

Critical Impact

Authenticated users with restrictive roles can bypass module-level access controls to read and create sensitive CRM records, including Leads, Accounts, Meetings, and Calls.

Affected Products

  • SuiteCRM versions 7.14.7 and prior
  • SuiteCRM versions 8.0.0-beta.1 through 8.9.0
  • SalesAgility SuiteCRM (all editions using affected versions)

Discovery Timeline

  • 2025-11-08 - CVE-2025-64490 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64490

Vulnerability Analysis

The vulnerability resides in how SuiteCRM enforces module-level permissions across different views. SuiteCRM's Role Management allows administrators to disable specific modules for restricted user roles. However, the Resource Calendar and project screens query and render data from related modules without consulting the role's module-level ACL configuration.

A low-privileged user can navigate to the Resource Calendar interface and interact with Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, and Calls records. The user can both read existing data and create new work items. This occurs even when those modules are set to Disabled or None in their role configuration.

The issue affects confidentiality and integrity of CRM data. Sensitive customer records, sales leads, and internal scheduling information become accessible to users who should have no visibility into those modules.

Root Cause

The root cause is inconsistent authorization enforcement [CWE-863]. The Resource Calendar and project views perform direct data retrieval and write operations without invoking the same ACL checks applied when users access modules through their primary interfaces. This authorization gap creates a parallel access path that ignores administrative restrictions.

Attack Vector

An attacker requires only valid authenticated credentials with any role assigned. The attacker logs into SuiteCRM, navigates to the Resource Calendar or project screens, and interacts with records from modules they should not access. No special privileges or user interaction beyond standard navigation are required. Exploitation is performed entirely over the network via the standard SuiteCRM web interface.

No public proof-of-concept exploit code is currently available for CVE-2025-64490. Refer to the SuiteCRM GitHub Security Advisory for vendor technical details.

Detection Methods for CVE-2025-64490

Indicators of Compromise

  • Unexpected record creation in Projects, Tasks, Leads, Accounts, Meetings, or Calls modules by users assigned restrictive roles
  • Access logs showing low-privileged user sessions reaching /index.php?module=Calendar or Resource Calendar endpoints followed by writes to restricted modules
  • Audit trail entries attributing modifications to users whose roles disable the target module

Detection Strategies

  • Review SuiteCRM database audit tables to correlate record modifications against the acting user's effective role permissions
  • Compare module access counts in web server logs against the documented module-level restrictions in Role Management
  • Query securitygroups_acl_roles and related ACL tables to identify users with restrictive roles, then look for activity in modules disabled for those roles

Monitoring Recommendations

  • Enable verbose application logging on Resource Calendar and project module endpoints
  • Forward SuiteCRM web server logs and application audit logs into a centralized logging platform for correlation
  • Alert on record creation events in CRM modules originating from accounts not permitted those modules

How to Mitigate CVE-2025-64490

Immediate Actions Required

  • Upgrade SuiteCRM to version 7.14.8 for the 7.x branch, or 8.9.1 for the 8.x branch
  • Inventory all user roles and audit recent activity on the Resource Calendar and project screens for unauthorized record access or creation
  • Review Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, and Calls records created since deployment of an affected version for unexpected entries

Patch Information

SalesAgility released fixes in SuiteCRM 7.14.8 and 8.9.1. The patch corrects ACL enforcement in the Resource Calendar and project views so that module-level role restrictions are honored across all access paths. See the SuiteCRM GitHub Security Advisory GHSA-jh8v-wqgj-hhc2 for full advisory details.

Workarounds

  • Restrict access to the Resource Calendar and project screens at the web server or reverse proxy layer until patching is completed
  • Temporarily remove low-privileged roles from active users where feasible, or consolidate users under audited roles with logged activity
  • Increase audit logging frequency and review of all CRM record creation events while the patch deployment is scheduled
bash
# Upgrade SuiteCRM 7.x to patched release
cd /var/www/suitecrm
wget https://github.com/SuiteCRM/SuiteCRM/releases/download/v7.14.8/SuiteCRM-7.14.8.zip
unzip SuiteCRM-7.14.8.zip
# Follow the official SuiteCRM upgrade procedure and run Repair & Rebuild from the admin panel

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.