CVE-2025-64489
HIGH WAF: Low
CVSS 8.8
Published: 2025-11-08
CWE-269
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1.
WAF Coverage Analysis
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| salesagility | suitecrm | up to 7.14.8 |
| salesagility | suitecrm | 8.0.0 - 8.9.1 |
References
- github.com (Patch)
- github.com (Patch)
- github.com (Vendor Advisory)