CVE-2025-69634

Critical

Published: 12 February 2026

Published

12 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0006 19.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69634 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Directly mitigates CSRF by protecting session authenticity and preventing forged requests to perms.php that could escalate privileges.

IA-11 Re-authentication partial match

prevent

Requires re-authentication for privilege-related actions in perms.php, blocking CSRF exploitation even if an admin interacts with a malicious request.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope and impact of any successful privilege escalation via the vulnerable notes field.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CSRF in perms.php directly enables authenticated low-priv user to escalate via forged permission changes (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if…

an unprivileged user knows the token of an admin user.

Deeper analysisAI

CVE-2025-69634 is a Cross-Site Request Forgery (CSRF) vulnerability in Dolibarr ERP & CRM version 22.0.9. The flaw resides in the notes field of the perms.php component, where a remote attacker can escalate privileges. It maps to CWEs 284 (Improper Access Control), 352 (Cross-Site Request Forgery), and 598, with a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, low privileges required, user interaction needed, changed scope, and high impacts on confidentiality, integrity, and availability.

The attack requires an authenticated user with low privileges to craft a forged request targeting the notes field in perms.php. Exploitation demands user interaction, such as an admin clicking a malicious link or submitting a form, allowing the low-privileged attacker to escalate to higher privileges. This can result in unauthorized access to sensitive functions, with potential for high-impact compromise across the application's scope.

A third party disputes the vulnerability's severity, stating that exploitation requires an unprivileged user to already know an admin user's token. Detailed research and reproductions are available in GitHub repositories at https://github.com/simone97212/DolibarrVuln and https://github.com/simone97212/vuln-research/tree/main/CVE-2025-69634. No patch or mitigation details are specified in the available information.