CVE-2025-59428
📋 TL;DR
This vulnerability in EspoCRM allows attackers with Knowledge Base edit permissions to create arbitrary user accounts, including administrative accounts, through stored SVG injection combined with CSRF. The attack requires a victim to click a malicious link in a crafted SVG element, which triggers a CSRF request to create attacker-controlled accounts. All EspoCRM instances before version 9.1.9 are affected.
💻 Affected Systems
- EspoCRM
📦 What is this software?
Espocrm by Espocrm
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through creation of administrative accounts, leading to data theft, privilege escalation, and complete control over the CRM system.
Likely Case
Creation of unauthorized user accounts with varying privilege levels, potentially leading to data exfiltration, unauthorized access to sensitive customer information, and further lateral movement.
If Mitigated
Limited impact with proper access controls, where only authorized users have Knowledge Base edit permissions and CSRF protections are implemented.
🎯 Exploit Status
Requires attacker to have Knowledge Base edit permissions and social engineering to get victim to click malicious link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1.9
Vendor Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-c26c-wvhr-fr6r
Restart Required: No
Instructions:
1. Backup your EspoCRM instance and database. 2. Download EspoCRM version 9.1.9 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Clear the cache from Administration > Clear Cache. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Knowledge Base Permissions
allLimit Knowledge Base edit permissions to only trusted administrators to reduce attack surface.
Implement CSRF Protection
allAdd CSRF tokens to all state-changing API endpoints if custom modifications are possible.
🧯 If You Can't Patch
- Implement strict access controls to limit Knowledge Base edit permissions to minimal trusted users.
- Monitor user creation logs and API access patterns for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check EspoCRM version in Administration > About. If version is below 9.1.9, the system is vulnerable.Check Version:
Check Administration > About in EspoCRM web interface or inspect version in installation files.Verify Fix Applied:
After patching, verify version is 9.1.9 or higher in Administration > About and test that SVG injection in Knowledge Base articles no longer executes malicious scripts.📡 Detection & Monitoring
Log Indicators:
- Unusual user creation events via api/v1/User endpoint
- Multiple failed login attempts followed by successful user creation
- Knowledge Base article edits containing SVG elements with external links
Network Indicators:
- Outbound connections to suspicious domains from EspoCRM server
- Unusual POST requests to api/v1/User endpoint
SIEM Query:
source="espocrm" AND (uri_path="/api/v1/User" AND method="POST") | stats count by src_ip, user_agent