CVE-2025-32390 is a high-severity vulnerability affecting EspoCRM, an open-source customer relationship management platform. The flaw exists in versions prior to 9.0.8 and involves improper neutralization of special elements in HTML output within Knowledge Base (KB) articles, classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, commonly known as HTML Injection). Authenticated users with the privilege to read KB articles can exploit this vulnerability by injecting malicious HTML content into KB articles. This injected content can completely deface the page by mimicking legitimate login pages. When other users visit the compromised KB article and enter their credentials into the fake login form, their credentials are captured in plaintext by the attacker. The root cause is overly permissive HTML editing capabilities allowed on KB articles without sufficient sanitization or filtering. The vulnerability does not require elevated privileges beyond the ability to read KB articles, but the attacker must be authenticated with that privilege. The attack vector is remote and does not require user interaction beyond visiting the malicious KB article and submitting credentials. The vulnerability could be leveraged in environments where multiple applications are integrated, as the malicious KB article can be crafted to imitate login pages of other applications, enabling credential harvesting across multiple systems. EspoCRM version 9.0.8 includes a patch that addresses this issue by presumably restricting or sanitizing HTML input in KB articles. The CVSS 4.0 base score is 7.0 (high), reflecting network attack vector, low attack complexity, no privileges required beyond read access, user interaction required, and high impact on confidentiality and integrity. No known exploits are currently reported in the wild, but the potential for credential theft makes this a significant threat.

For European organizations using EspoCRM versions prior to 9.0.8, this vulnerability poses a serious risk of credential theft and subsequent unauthorized access. Since the attack can harvest plaintext credentials by mimicking legitimate login pages, it can lead to account compromise not only within EspoCRM but also across other integrated enterprise applications if users reuse passwords. This can result in data breaches, loss of customer data confidentiality, reputational damage, and potential regulatory non-compliance under GDPR due to inadequate protection of personal data. The ability to deface pages also undermines trust in the platform and can disrupt business operations. Given that the vulnerability requires only read access to KB articles, insider threats or compromised low-privilege accounts could be leveraged to launch attacks. The cross-application credential harvesting potential increases the attack surface and risk for enterprises with interconnected systems. The lack of known exploits in the wild suggests that proactive patching can effectively mitigate risk before exploitation becomes widespread.

European organizations should immediately upgrade EspoCRM installations to version 9.0.8 or later to apply the official patch that addresses this vulnerability. Until the upgrade is performed, organizations should restrict access to the Knowledge Base articles to only trusted users and review user privileges to ensure minimal necessary access is granted. Implement strict input validation and sanitization controls on HTML content in KB articles, possibly disabling HTML editing capabilities for non-administrative users. Conduct regular audits of KB articles to detect and remove any suspicious or unauthorized content. Educate users about phishing risks and encourage the use of unique, strong passwords and multi-factor authentication (MFA) across all enterprise applications to reduce the impact of credential theft. Monitor logs for unusual access patterns or repeated failed login attempts that may indicate exploitation attempts. Additionally, consider deploying web application firewalls (WAFs) with rules to detect and block malicious HTML injection attempts targeting EspoCRM. Finally, integrate EspoCRM security monitoring into the organization's broader security incident and event management (SIEM) system for timely detection and response.