Vulners
Lucene search
📄 PerfexCRM Authentication Bypass
🗓️ 15 Oct 2025 00:00:00Reported by Ahamed Yaseen, Ajansha ShankarType 
packetstorm🔗 packetstorm.news👁 194 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2025-60375 | 9 Oct 202519:29 | – | circl |
 | Perfex CRM 安全漏洞 | 9 Oct 202500:00 | – | cnnvd |
 | CVE-2025-60375 | 9 Oct 202500:00 | – | cve |
 | CVE-2025-60375 | 9 Oct 202500:00 | – | cvelist |
 | EUVD-2025-33558 | 9 Oct 202521:31 | – | euvd |
 | CVE-2025-60375 | 9 Oct 202521:15 | – | nvd |
 | PT-2025-41488 | 9 Oct 202500:00 | – | ptsecurity |
 | CVE-2025-60375 | 10 Oct 202501:32 | – | redhatcve |
 | CVE-2025-60375 | 9 Oct 202500:00 | – | vulnrichment |
# Security Advisory — PerfexCRM Authentication Bypass (CVE-2025-60375, RESERVED)
**Advisory ID:** perfexcrm-auth-bypass-2025
**CVE:** CVE-2025-60375 (RESERVED)
**Product:** PerfexCRM
**Affected versions:** versions prior to 3.3.1 (< 3.3.1)
**Date discovered:** [replace with discovery date]
**Reported by:** Ajansha Shankar, Ahamed Yaseen
**References:** OWASP Authentication Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
---
## Summary
An authentication bypass exists in the admin login mechanism of PerfexCRM prior to version 3.3.1. The server's authentication workflow does not sufficiently validate the presence and contents of username/password parameters. An attacker who manipulates the login request to supply empty username and password parameters may be granted access to user accounts, including administrative accounts.
---
## Impact
- Unauthorized access to user accounts (including admin).
- Potential full compromise of the application and sensitive data exposure.
- Remote exploitation — attacker only needs the ability to send HTTP requests to the login endpoint.
---
## Technical details & reproduction
1. Intercept the POST request sent to the admin login endpoint (e.g., `/admin/auth/login`).
2. Remove or set `username` and `password` fields to empty values in the request body.
3. Forward the modified request. The server may respond with `419 Page expired` on refresh but will redirect to the dashboard and provide an authenticated session without valid credentials.
**Root cause (summary):** insufficient server-side validation and improper control flow that allows session or application logic to mark the request as authenticated even with missing credentials.
---
## Mitigation / Remediation
- Fix server-side authentication: reject requests missing username or password with an explicit 4xx error (e.g., 400/401).
- Ensure session creation and privilege assignment only happen after successful credential verification.
- Add unit and integration tests to validate behavior against empty/missing credential values.
- Consider adding rate-limiting and monitoring for suspicious login attempts while fix is deployed.
---
## Suggested CVSS (example)
- CVSS v3.1 (example): **7.8 (High)** — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
> Note: This is an estimated vector for triage. Provide a precise CVSS vector after coordinated disclosure.
---
## Contact / Credit
- Reported by: Ajansha Shankar and Ahamed YaseenData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Oct 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.17.3
EPSS0.00266
SSVC