CVE-2025-64490
📋 TL;DR
SuiteCRM versions 7.14.7 and prior, and 8.0.0-beta.1 through 8.9.0 have an access control vulnerability where low-privileged users can view and create work items through Resource Calendar and project screens even when related modules are explicitly disabled in Role Management. This allows unauthorized data exposure and modification. Organizations using affected SuiteCRM versions with role-based access control are impacted.
💻 Affected Systems
- SuiteCRM
📦 What is this software?
Suitecrm by Salesagility
Suitecrm by Salesagility
⚠️ Risk & Real-World Impact
Worst Case
Low-privileged users could access sensitive customer data, modify critical business records, or disrupt project workflows across multiple modules including Projects, Tasks, Leads, Accounts, and Meetings.
Likely Case
Internal users with restricted roles gain unintended access to view and modify CRM data they shouldn't have permissions for, potentially leading to data leaks or unauthorized changes to business records.
If Mitigated
With proper network segmentation and monitoring, impact is limited to authorized users gaining unintended access within their authenticated session scope.
🎯 Exploit Status
Exploitation requires authenticated low-privileged user access and involves navigating to Resource Calendar or project screens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.14.8 and 8.9.1
Vendor Advisory: https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2
Restart Required: No
Instructions:
1. Backup your SuiteCRM instance and database. 2. Update to SuiteCRM version 7.14.8 or 8.9.1. 3. Verify role permissions are correctly enforced after update.
🔧 Temporary Workarounds
Disable Resource Calendar and Project Screens
allTemporarily disable access to Resource Calendar and project screens for all low-privileged users.
Navigate to Admin > Role Management > Edit roles to remove Resource Calendar and project screen permissions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SuiteCRM from sensitive networks
- Enable detailed audit logging for all Resource Calendar and project screen access attempts
🔍 How to Verify
Check if Vulnerable:
Check SuiteCRM version in Admin > System Settings. If version is 7.14.7 or earlier, or between 8.0.0-beta.1 and 8.9.0, system is vulnerable.Check Version:
Check Admin > System Settings in SuiteCRM web interfaceVerify Fix Applied:
After patching, test with low-privileged user account that modules set to Disabled/None in Role Management cannot be accessed through Resource Calendar or project screens.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Resource Calendar or project screens by low-privileged users
- Access to modules that should be disabled per role configuration
Network Indicators:
- Increased API calls to calendar/project endpoints from low-privileged user accounts
SIEM Query:
source="suitecrm" AND (uri_path="/index.php?module=Calendar" OR uri_path="/index.php?module=Project") AND user_role="low_privilege"