Cyber Resilience

CVE-2022-45186

HighPublic PoC

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0017 38.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-45186 is a high-severity an unspecified weakness vulnerability in Salesagility Suitecrm. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Customer Relationship Management Software (T1213.004); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2022-45186 is a vulnerability discovered in SuiteCRM version 7.12.7 that allows authenticated users to recover an arbitrary field from the database. This flaw affects the open-source customer relationship management software SuiteCRM, specifically the 7.12.7 release, enabling unauthorized access to sensitive database content beyond the user's privileges.

The vulnerability can be exploited over the network with low complexity by users with low privileges, such as any authenticated account, requiring no user interaction. Successful exploitation grants high-impact confidentiality by allowing recovery of arbitrary database fields and high-impact integrity by potentially enabling unauthorized modifications, with no impact on availability, as reflected in its CVSS v3.1 base score of 8.1.

Mitigation details are available in the SuiteCRM 7.12.x release documentation, which covers patches and updates for affected versions. Additional resources include the Orange Cyberdefense CVE repository and a corresponding proof-of-concept script demonstrating the issue.

EU & UK References

Vulnerability details

An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.004 Customer Relationship Management Software Collection
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
Why these techniques?

Direct unauthorized DB field access in SuiteCRM (CRM software) matches T1213.004 for data exfiltration from information repositories.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-50589Same product: Salesagility Suitecrm
CVE-2025-54788Same product: Salesagility Suitecrm
CVE-2025-54785Same product: Salesagility Suitecrm
CVE-2019-25664Same product: Salesagility Suitecrm
CVE-2022-45185Same product: Salesagility Suitecrm
CVE-2019-25663Same product: Salesagility Suitecrm

Affected Assets

salesagility
suitecrm
7.12.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent authenticated users from recovering arbitrary database fields beyond their privileges.

prevent

Restricts user access to only necessary database fields according to least privilege, directly mitigating unauthorized data recovery.

prevent

Requires timely remediation of flaws like CVE-2022-45186 through patching to eliminate the arbitrary field recovery vulnerability.

References