Cyber Resilience

CVE-2025-10390

Low

Published: 14 September 2025

Published
14 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 40.6th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10390 is a low-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Crmeb Crmeb. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-10390 is an improper authorization vulnerability affecting CRMEB versions up to 5.6.1. The issue resides in the editAddress function within the file app/services/user/UserAddressServices.php, where manipulation of the ID argument enables unauthorized actions.

The vulnerability is exploitable remotely over the network by low-privileged authenticated users, requiring low attack complexity and no user interaction. Exploitation leads to low impacts on integrity and availability, with no confidentiality impact, as reflected in its CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). It is associated with CWEs 266 and 285.

Advisories from VulDB indicate that a public exploit is available and the vulnerability could be exploited. The vendor was contacted early about the disclosure but provided no response. Relevant references include VulDB entries at vuldb.com/?ctiid.323825, vuldb.com/?id.323825, and vuldb.com/?submit.644578, as well as a GitHub repository at github.com/August829/Yu/blob/main/58ead8e7e08bfb014.md.

EU & UK References

Vulnerability details

A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit…

more

has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Improper authorization (IDOR-style ID manipulation) in public-facing web app enables remote exploitation by valid low-priv accounts to perform unauthorized data modifications.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10389Same product: Crmeb Crmeb
CVE-2026-1202Same product: Crmeb Crmeb
CVE-2026-1203Same product: Crmeb Crmeb
CVE-2025-25763Same product: Crmeb Crmeb
CVE-2025-15442Same product: Crmeb Crmeb
CVE-2025-15443Same product: Crmeb Crmeb
CVE-2025-1226Shared CWE-266, CWE-285
CVE-2026-1597Shared CWE-266, CWE-285
CVE-2025-8756Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285

Affected Assets

crmeb
crmeb
≤ 5.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the system to enforce approved authorizations on the editAddress function so that ID manipulation by low-privileged users cannot bypass intended access restrictions.

prevent

Limits privileges assigned to user accounts, reducing the attack surface and potential impact if the authorization check in UserAddressServices.php is flawed.

prevent

Ensures access-control decisions are made by the system using authoritative policy data rather than trusting the client-supplied ID value.

References