CVE-2025-10390
Published: 14 September 2025
Summary
CVE-2025-10390 is a low-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Crmeb Crmeb. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2025-10390 is an improper authorization vulnerability affecting CRMEB versions up to 5.6.1. The issue resides in the editAddress function within the file app/services/user/UserAddressServices.php, where manipulation of the ID argument enables unauthorized actions.
The vulnerability is exploitable remotely over the network by low-privileged authenticated users, requiring low attack complexity and no user interaction. Exploitation leads to low impacts on integrity and availability, with no confidentiality impact, as reflected in its CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L). It is associated with CWEs 266 and 285.
Advisories from VulDB indicate that a public exploit is available and the vulnerability could be exploited. The vendor was contacted early about the disclosure but provided no response. Relevant references include VulDB entries at vuldb.com/?ctiid.323825, vuldb.com/?id.323825, and vuldb.com/?submit.644578, as well as a GitHub repository at github.com/August829/Yu/blob/main/58ead8e7e08bfb014.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29111
Vulnerability details
A weakness has been identified in CRMEB up to 5.6.1. The affected element is the function editAddress of the file app/services/user/UserAddressServices.php. Executing manipulation of the argument ID can lead to improper authorization. The attack may be launched remotely. The exploit…
more
has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization (IDOR-style ID manipulation) in public-facing web app enables remote exploitation by valid low-priv accounts to perform unauthorized data modifications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to enforce approved authorizations on the editAddress function so that ID manipulation by low-privileged users cannot bypass intended access restrictions.
Limits privileges assigned to user accounts, reducing the attack surface and potential impact if the authorization check in UserAddressServices.php is flawed.
Ensures access-control decisions are made by the system using authoritative policy data rather than trusting the client-supplied ID value.