Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: High authentication vulnerability in EspoCRM, Patch Immediately!

Image
Decorative image
Veröffentlicht : 04/02/2026
  • Last update: 04/02/2026
  • Affected software:
    → EspoCRM <= 5.8.5
  • Type: CWE-639 - Authorization Bypass Through User-Controlled Key
  • CVE/CVSS
    → CVE-2020-37094: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Sources

EspoCRM - https://www.espocrm.com/

Risks

Attacker can compromise a vulnerable instance of EspoCRM to gain access to sensitive customer information and business data, which could result in a potential disruption of core business operations. EspoCRM is used to manage publicly available websites, which means that likelihood of an attack is very high. A potential compromise of the system might lead to a high impact on the confidentiality, integrity and availability.

Description

CVE-2020-37094 is a vulnerability that allows attackers to access other user accounts by manipulating the authorization headers. Attackers can decode authorization tokens to gain unauthorized access to administrative user information and privileges.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NVD NIST - https://nvd.nist.gov/vuln/detail/CVE-2020-37094