Multiple SuiteCRM Vulnerabilities Allowing SQL Injection, Privilege Escalation, and Access Control Bypass
SuiteCRM, an open-source enterprise CRM platform, was found to contain several critical vulnerabilities affecting versions 7.14.7 and prior, as well as 8.0.0-beta.1 through 8.9.0. These flaws include time-based blind SQL injection, authenticated SQL injection in the Reschedule Call module, privilege escalation via improper session invalidation and inactive user bypass, and inconsistent RBAC enforcement that enables access control bypass. Attackers exploiting these vulnerabilities could extract sensitive data, escalate privileges, or gain unauthorized access to restricted modules and data. All issues are addressed in SuiteCRM versions 7.14.8 and 8.9.1.
The SQL injection vulnerabilities allow authenticated users to infer or exfiltrate database contents, potentially compromising the confidentiality and integrity of stored information. The privilege escalation flaw permits inactive users with active sessions to reactivate their accounts and maintain unauthorized access, undermining administrative controls. Additionally, inconsistent role-based access control enforcement allows low-privileged users to view and create work items in modules that should be inaccessible. Organizations using affected SuiteCRM versions are strongly advised to upgrade to the latest patched releases to mitigate these risks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-64492 disclosed for authenticated blind SQL injection in SuiteCRM
A high-severity authenticated time-based blind SQL injection vulnerability affecting SuiteCRM 8.9.0 and below was publicly disclosed. The flaw allows a remote authenticated attacker to infer database contents through response timing, enabling database enumeration, sensitive data extraction, and possible privilege escalation.
CVE-2025-64490 disclosed for SuiteCRM RBAC access control bypass
CVE-2025-64490 was published as a high-severity vulnerability involving inconsistent role-based access control enforcement in SuiteCRM. The flaw enables an access control bypass affecting the product's authorization model.
CVE-2025-64489 disclosed for SuiteCRM session invalidation privilege escalation
A high-severity SuiteCRM vulnerability was disclosed in which deactivated users with existing sessions can continue accessing the application and even reactivate their own accounts. The issue weakens administrative controls and enables unauthorized persistence after deactivation.
CVE-2025-64488 disclosed for SQL injection in SuiteCRM Reschedule Call module
A high-severity authenticated SQL injection vulnerability in SuiteCRM's Reschedule Call module was publicly disclosed. The flaw allows a low-privileged attacker to manipulate the call_id parameter to alter SQL queries, potentially leading to unauthorized data access, exfiltration, or full database compromise.
SuiteCRM fixes multiple high-severity vulnerabilities in 7.14.8 and 8.9.1
SuiteCRM addressed several high-severity flaws affecting versions 7.14.7 and earlier and 8.0.0-beta.1 through 8.9.0, including SQL injection, privilege escalation, and access control bypass issues. The fixes were released in SuiteCRM 7.14.8 and 8.9.1, according to the referenced GitHub security advisories and commits.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2025-64492 - SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection
cvefeed.io
Open sourceCVE-2025-64490 - SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass
cvefeed.io
Open sourceCVE-2025-64489 - SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass
cvefeed.io
Open sourceCVE-2025-64488 - SuiteCRM: Authenticated SQL Injection Possible in Reschedule Call Module
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
High-Severity Access Control and Session Forgery Flaws Patched in SuiteCRM and Auth0 PHP SDK
SuiteCRM disclosed **CVE-2026-29189**, a high-severity insecure direct object reference (`IDOR`) flaw in its REST API V8 caused by missing ACL checks on user preferences and relationship endpoints. In versions before **7.15.1** and **8.9.3**, authenticated users could access or modify data beyond their assigned permissions, creating high confidentiality and integrity risk in deployments of the open-source CRM platform. The issue is tracked as **CWE-639** and carries a CVSS v3.1 rating reflecting low attack complexity and no user interaction requirement. Auth0 also patched **CVE-2026-34236** in the **Auth0-PHP SDK**, where insufficient entropy in cookie encryption allowed attackers to potentially brute-force encryption keys and forge session cookies. The flaw affects versions **8.0.0 through before 8.19.0** and is classified as **CWE-331**, with significant confidentiality and integrity impact for applications relying on the SDK for authentication. Auth0 fixed the issue in **8.19.0**, while SuiteCRM remediated its API authorization weakness in **7.15.1** and **8.9.3**.
Apr 1, 2026
ChurchCRM Fixed Two SQL Injection Flaws in Property and Fundraiser Functions
ChurchCRM fixed two SQL injection vulnerabilities affecting versions prior to `7.1.0`, both of which could be exploited by authenticated users with low privileges to access or alter backend data. One flaw, tracked as `CVE-2026-34402`, was a time-based blind SQL injection in `PropertyAssign.php` that could be abused by users with **Edit Records** or **Manage Groups** permissions to exfiltrate or modify arbitrary database content, including user credentials, personally identifiable information, and configuration secrets. A second flaw, `CVE-2026-35566`, affected `src/Reports/FundRaiserStatement.php`, where an unquoted `$_SESSION['iCurrentFundraiser']` value was used in a numeric SQL context without integer validation after being set through `src/FundRaiserEditor.php`. The issue carried critical impact because it could compromise confidentiality, integrity, and availability, while both vulnerabilities were classified as `CWE-89` and addressed in ChurchCRM `7.1.0` through published GitHub security advisories.
Apr 7, 2026
Multiple Critical Vulnerabilities in Imaster MEMS Events CRM and Patient Records Management Systems
Several critical and high-severity vulnerabilities have been identified in Imaster's MEMS Events CRM and Patient Records Management System, including SQL injection and stored Cross-Site Scripting (XSS) flaws. The vulnerabilities, tracked as CVE-2025-41003, CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006, were discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. Specifically, SQL injection vulnerabilities exist in the 'id' parameter of `/projects/hospital/admin/complaints.php` (CVE-2025-41004), the 'keyword' parameter of `/memsdemo/exchange_offers.php` (CVE-2025-41005), and the 'phone' parameter of `/memsdemo/login.php` (CVE-2025-41006`). Additionally, a stored XSS vulnerability (CVE-2025-41003) affects the 'firstname' parameter in `/projects/hospital/admin/edit_patient.php`. All vulnerabilities are remotely exploitable, with CVSS v4.0 base scores ranging from 5.1 (medium) to 9.3 (critical), and no patches have been reported as available. The vulnerabilities impact enterprise management software used for event and patient record management, posing significant risks of unauthorized access, data exfiltration, and potential compromise of sensitive information. The SQL injection flaws, in particular, allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise. The stored XSS vulnerability enables the execution of arbitrary JavaScript in the context of affected users, increasing the risk of session hijacking and further exploitation. Organizations using Imaster's MEMS Events CRM or Patient Records Management System should urgently assess their exposure and implement compensating controls until official fixes are released.
Mar 21, 2026