Exploit for 📄 PerfexCRM Authentication Bypass CVE-2025-60375

Name: Exploit for 📄 PerfexCRM Authentication Bypass CVE-2025-60375
Rating: 5 (180 reviews)
2025-10-15 | CVSS 7.3
## https://sploitus.com/exploit?id=PACKETSTORM:210540
# Security Advisory — PerfexCRM Authentication Bypass (CVE-2025-60375, RESERVED)
    
    **Advisory ID:** perfexcrm-auth-bypass-2025  
    **CVE:** CVE-2025-60375 (RESERVED)  
    **Product:** PerfexCRM  
    **Affected versions:** versions prior to 3.3.1 (< 3.3.1)  
    **Date discovered:** [replace with discovery date]  
    **Reported by:** Ajansha Shankar, Ahamed Yaseen  
    **References:** OWASP Authentication Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
    
    ---
    
    ## Summary
    An authentication bypass exists in the admin login mechanism of PerfexCRM prior to version 3.3.1. The server's authentication workflow does not sufficiently validate the presence and contents of username/password parameters. An attacker who manipulates the login request to supply empty username and password parameters may be granted access to user accounts, including administrative accounts.
    
    ---
    
    ## Impact
    - Unauthorized access to user accounts (including admin).  
    - Potential full compromise of the application and sensitive data exposure.  
    - Remote exploitation — attacker only needs the ability to send HTTP requests to the login endpoint.
    
    ---
    
    ## Technical details & reproduction
    1. Intercept the POST request sent to the admin login endpoint (e.g., `/admin/auth/login`).  
    2. Remove or set `username` and `password` fields to empty values in the request body.  
    3. Forward the modified request. The server may respond with `419 Page expired` on refresh but will redirect to the dashboard and provide an authenticated session without valid credentials.
    
    **Root cause (summary):** insufficient server-side validation and improper control flow that allows session or application logic to mark the request as authenticated even with missing credentials.
    
    ---
    
    ## Mitigation / Remediation
    - Fix server-side authentication: reject requests missing username or password with an explicit 4xx error (e.g., 400/401).  
    - Ensure session creation and privilege assignment only happen after successful credential verification.  
    - Add unit and integration tests to validate behavior against empty/missing credential values.  
    - Consider adding rate-limiting and monitoring for suspicious login attempts while fix is deployed.
    
    ---
    
    ## Suggested CVSS (example)
    - CVSS v3.1 (example): **7.8 (High)** — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N  
    > Note: This is an estimated vector for triage. Provide a precise CVSS vector after coordinated disclosure.
    
    ---
    
    ## Contact / Credit
    - Reported by: Ajansha Shankar and Ahamed Yaseen