#VU125915 Improper access control in EspoCRM - CVE-2025-32789
Published: April 16, 2025 / Updated: April 14, 2026
Vulnerability identifier: #VU125915
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-32789
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
EspoCRM
EspoCRM
Software vendor:
EspoCRM
EspoCRM
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the user sorting function when handling user list sorting requests. A remote user can sort users by the password column to disclose sensitive information.
The issue affects values stored in the user table, and exploitation relies on inferring other users' password hash ordering through repeated sorting.
Remediation
Install security update from vendor's website.