CVE-2025-64490 Overview
CVE-2025-64490 is a broken access control vulnerability [CWE-863] in SuiteCRM, an open-source Customer Relationship Management application. The flaw allows low-privileged authenticated users to view and create work items through the Resource Calendar and project screens. This bypass occurs even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. The vulnerability stems from inconsistent Access Control List (ACL) and Role-Based Access Control (RBAC) enforcement across modules and views. Affected versions include SuiteCRM 7.14.7 and prior, and 8.0.0-beta.1 through 8.9.0. SalesAgility fixed the issue in versions 7.14.8 and 8.9.1.
Critical Impact
Authenticated users with restrictive roles can bypass module-level access controls to read and create sensitive CRM records, including Leads, Accounts, Meetings, and Calls.
Affected Products
- SuiteCRM versions 7.14.7 and prior
- SuiteCRM versions 8.0.0-beta.1 through 8.9.0
- SalesAgility SuiteCRM (all editions using affected versions)
Discovery Timeline
- 2025-11-08 - CVE-2025-64490 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64490
Vulnerability Analysis
The vulnerability resides in how SuiteCRM enforces module-level permissions across different views. SuiteCRM's Role Management allows administrators to disable specific modules for restricted user roles. However, the Resource Calendar and project screens query and render data from related modules without consulting the role's module-level ACL configuration.
A low-privileged user can navigate to the Resource Calendar interface and interact with Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, and Calls records. The user can both read existing data and create new work items. This occurs even when those modules are set to Disabled or None in their role configuration.
The issue affects confidentiality and integrity of CRM data. Sensitive customer records, sales leads, and internal scheduling information become accessible to users who should have no visibility into those modules.
Root Cause
The root cause is inconsistent authorization enforcement [CWE-863]. The Resource Calendar and project views perform direct data retrieval and write operations without invoking the same ACL checks applied when users access modules through their primary interfaces. This authorization gap creates a parallel access path that ignores administrative restrictions.
Attack Vector
An attacker requires only valid authenticated credentials with any role assigned. The attacker logs into SuiteCRM, navigates to the Resource Calendar or project screens, and interacts with records from modules they should not access. No special privileges or user interaction beyond standard navigation are required. Exploitation is performed entirely over the network via the standard SuiteCRM web interface.
No public proof-of-concept exploit code is currently available for CVE-2025-64490. Refer to the SuiteCRM GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2025-64490
Indicators of Compromise
- Unexpected record creation in Projects, Tasks, Leads, Accounts, Meetings, or Calls modules by users assigned restrictive roles
- Access logs showing low-privileged user sessions reaching /index.php?module=Calendar or Resource Calendar endpoints followed by writes to restricted modules
- Audit trail entries attributing modifications to users whose roles disable the target module
Detection Strategies
- Review SuiteCRM database audit tables to correlate record modifications against the acting user's effective role permissions
- Compare module access counts in web server logs against the documented module-level restrictions in Role Management
- Query securitygroups_acl_roles and related ACL tables to identify users with restrictive roles, then look for activity in modules disabled for those roles
Monitoring Recommendations
- Enable verbose application logging on Resource Calendar and project module endpoints
- Forward SuiteCRM web server logs and application audit logs into a centralized logging platform for correlation
- Alert on record creation events in CRM modules originating from accounts not permitted those modules
How to Mitigate CVE-2025-64490
Immediate Actions Required
- Upgrade SuiteCRM to version 7.14.8 for the 7.x branch, or 8.9.1 for the 8.x branch
- Inventory all user roles and audit recent activity on the Resource Calendar and project screens for unauthorized record access or creation
- Review Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, and Calls records created since deployment of an affected version for unexpected entries
Patch Information
SalesAgility released fixes in SuiteCRM 7.14.8 and 8.9.1. The patch corrects ACL enforcement in the Resource Calendar and project views so that module-level role restrictions are honored across all access paths. See the SuiteCRM GitHub Security Advisory GHSA-jh8v-wqgj-hhc2 for full advisory details.
Workarounds
- Restrict access to the Resource Calendar and project screens at the web server or reverse proxy layer until patching is completed
- Temporarily remove low-privileged roles from active users where feasible, or consolidate users under audited roles with logged activity
- Increase audit logging frequency and review of all CRM record creation events while the patch deployment is scheduled
# Upgrade SuiteCRM 7.x to patched release
cd /var/www/suitecrm
wget https://github.com/SuiteCRM/SuiteCRM/releases/download/v7.14.8/SuiteCRM-7.14.8.zip
unzip SuiteCRM-7.14.8.zip
# Follow the official SuiteCRM upgrade procedure and run Repair & Rebuild from the admin panel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

