CVE-2020-37094

CriticalPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

03 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2020-37094 by requiring identification, reporting, and timely remediation of the authentication flaw in EspoCRM through patching or updates.

IA-5 Authenticator Management good match

prevent

Requires management of authorization tokens with sufficient strength of mechanism and protection against unauthorized modification, preventing attackers from decoding and forging them.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations based on validated authentication, rejecting access attempts using manipulated Basic Authorization and Espo-Authorization headers.

Security SummaryAI

CVE-2020-37094 is an authentication vulnerability in EspoCRM version 5.8.5 that enables attackers to access other user accounts by manipulating authorization headers. Specifically, attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. The vulnerability is classified under CWE-639 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by intercepting or crafting modified authorization tokens, allowing them to impersonate other users, including administrators. Successful exploitation grants high-impact access to sensitive data, enables privilege escalation, and potentially disrupts system availability through unauthorized actions.

Advisories and resources for mitigation are available from the vendor at https://www.espocrm.com, an exploit proof-of-concept at https://www.exploit-db.com/exploits/48376, and a detailed privilege escalation advisory at https://www.vulncheck.com/advisories/espocrm-privilege-escalation. The presence of a public exploit on Exploit-DB indicates practical exploitability in unpatched environments.

Details

CWE(s): CWE-639

Affected Products

espocrm

≤ 5.8.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (EspoCRM) for unauthorized access (T1190) and privilege escalation to admin via auth token manipulation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.espocrm.com
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48376
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/espocrm-privilege-escalation
Third Party Advisory · disclosure@vulncheck.com