Cyber Resilience

CVE-2025-10389

Low

Published: 14 September 2025

Published
14 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 44.2th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10389 is a low-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Crmeb Crmeb. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-10389 is an improper authorization vulnerability affecting CRMEB versions up to 5.6.1. The issue is located in the Save function of the file app/services/system/admin/SystemAdminServices.php within the Administrator Password Handler component, where manipulation of the ID argument leads to inadequate access controls.

The vulnerability enables remote exploitation by low-privileged users, as indicated by its CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). Attackers require network access and low privileges but no user interaction, achieving low impacts on integrity and availability with no confidentiality loss. Associated CWEs include CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).

VulDB advisories note that a public exploit has been released, increasing the risk of active exploitation. The vendor was notified early about the disclosure but provided no response, implying no official patch or mitigation guidance is available from them at this time.

EU & UK References

Vulnerability details

A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be…

more

initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization (CWE-285) in CRMEB's admin password handler allows low-privilege users to remotely reset administrator passwords via ID manipulation, enabling exploitation of public-facing web applications (T1190), exploitation for privilege escalation (T1068), and account manipulation (T1098).

CVEs Like This One

CVE-2025-10390Same product: Crmeb Crmeb
CVE-2026-1202Same product: Crmeb Crmeb
CVE-2026-1203Same product: Crmeb Crmeb
CVE-2025-25763Same product: Crmeb Crmeb
CVE-2025-15442Same product: Crmeb Crmeb
CVE-2025-15443Same product: Crmeb Crmeb
CVE-2025-1847Shared CWE-266, CWE-285
CVE-2026-3263Shared CWE-266, CWE-285
CVE-2026-2109Shared CWE-266, CWE-285
CVE-2026-1550Shared CWE-266, CWE-285

Affected Assets

crmeb
crmeb
≤ 5.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the ID argument before allowing the Save operation in SystemAdminServices.php, blocking unauthorized password changes by low-privileged users.

prevent

Restricts privileges so that non-admin accounts cannot reach or affect the Administrator Password Handler, limiting the attack surface of the improper authorization flaw.

prevent

Governs how access decisions are made for the ID parameter, ensuring the flawed authorization logic in the Save function is replaced by a centralized, correct decision point.

References