CVE-2025-32789

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.0.7

Description The issue allows an attacker to make assumptions about the hash values of other users' passwords based on the sorted list of users. If an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully revealed.

Recommendations For versions prior to 9.0.7, update to version 9.0.7 to resolve the issue. As a temporary workaround, consider restricting access to the user sorting functionality until the update is applied. Avoid using the sorting feature by password hash in the affected versions to minimize the risk of exploitation.