CVE-2025-10389
Published: 14 September 2025
Summary
CVE-2025-10389 is a low-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Crmeb Crmeb. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-10389 is an improper authorization vulnerability affecting CRMEB versions up to 5.6.1. The issue is located in the Save function of the file app/services/system/admin/SystemAdminServices.php within the Administrator Password Handler component, where manipulation of the ID argument leads to inadequate access controls.
The vulnerability enables remote exploitation by low-privileged users, as indicated by its CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). Attackers require network access and low privileges but no user interaction, achieving low impacts on integrity and availability with no confidentiality loss. Associated CWEs include CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).
VulDB advisories note that a public exploit has been released, increasing the risk of active exploitation. The vendor was notified early about the disclosure but provided no response, implying no official patch or mitigation guidance is available from them at this time.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29107
Vulnerability details
A security flaw has been discovered in CRMEB up to 5.6.1. Impacted is the function Save of the file app/services/system/admin/SystemAdminServices.php of the component Administrator Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack may be…
more
initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization (CWE-285) in CRMEB's admin password handler allows low-privilege users to remotely reset administrator passwords via ID manipulation, enabling exploitation of public-facing web applications (T1190), exploitation for privilege escalation (T1068), and account manipulation (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the ID argument before allowing the Save operation in SystemAdminServices.php, blocking unauthorized password changes by low-privileged users.
Restricts privileges so that non-admin accounts cannot reach or affect the Administrator Password Handler, limiting the attack surface of the improper authorization flaw.
Governs how access decisions are made for the ID parameter, ensuring the flawed authorization logic in the Save function is replaced by a centralized, correct decision point.