Multiple vulnerabilities in winCRM
The following versions of winCRM are affected:
- Web versions: https://www.wincrm.eu/
- Desktop versions: wincrm.exe and winsat.exe.
INCIBE has coordinated the publication of 14 vulnerabilities, 2 of critical severity, 10 of high severity, and 2 of medium severity, affecting the winCRM application, a customer relationship management software. The vulnerabilities were discovered by Alejandro Amorín Niño, Cosme Vázquez Tomé.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2025-59906 and CVE-2025-59907: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-798
- From CVE-2025-59908 to CVE-2025-59917: CVSS v4.0: 7.0 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-284
- CVE-2025-59918 and CVE-2025-59919: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:H/UI:R/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | CWE-79
The vulnerabilities have been addressed by the winCRM team in both the online version and the Windows version in the latest available release.
On December 11, 2025, the previous version of winCRM Online was fully replaced by the new, completely rewritten version, which features improved security technology and architecture.
- Hardcoded credentials in the executable file. These can be extracted using the “Strings.exe” tool and could allow an attacker unauthorized access to the database and SMTP server.
- CVE-2025-59906: 'winCRM.exe'.
- CVE-2025-59907:'winSAT.exe'.
- Insecure Direct Object Reference (IDOR) vulnerability. Exploiting this vulnerability allows a user to view the names of other users/companies on the platform by iterating over the numerical value that identifies the customer in the URL:
- CVE-2025-59908: 'idCliente' parameter in'/Gestion/DocumentosCrear/'.
- CVE-2025-59909: 'ClientesCamposAdicionales' parameter in'/Clientes/ClientesCamposAdicionales/'.
- CVE-2025-59910: 'ClientesClasificaciones' parameter in'/Clientes/ClientesClasificaciones/'.
- CVE-2025-59911: 'TareasCrear' parameter in'/Tareas/TareasCrear/'.
- CVE-2025-59912: 'ClientesEventos' parameter in'/Clientes/ClientesEventos/'.
- CVE-2025-59913: 'ClientesOportunidades' parameter in'/Clientes/ClientesOportunidades/'.
- CVE-2025-59914: 'EstadosEventosEditar' parameter in'/Eventos/EstadosEventosEditar'.
- CVE-2025-59915: 'ObtenerEstadosDoc' parameter in'/Gestion/ObtenerEstadosDoc'.
- CVE-2025-59916: 'DocumentosAnadirLineas' parameter in'/Gestion/DocumentosAnadirLineas/'.
- CVE-2025-59917: 'DocumentosOpcionesImprimir' parameter in'/Gestion/DocumentosOpcionesImprimir/'.
- Stored Cross-Site Scripting (XSS) vulnerability in winCRM. Exploiting this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data by allowing JavaScript code to be injected. The relationship between parameter mapping and identifiers is as follows:
- CVE-2025-59918: 'Tarea' parameter in '/Tareas/TareasCrear?ddv=cal'.
- CVE-2025-59919: 'Nombre' and 'Observaciones' parameters in '/Clientes/ClientesCrear?ddv=cal'.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2025-59906 | Crítica | No | winCRM |
| CVE-2025-59907 | Crítica | No | winCRM |
| CVE-2025-59908 | Alta | No | winCRM |
| CVE-2025-59909 | Alta | No | winCRM |
| CVE-2025-59910 | Alta | No | winCRM |
| CVE-2025-59911 | Alta | No | winCRM |
| CVE-2025-59912 | Alta | No | winCRM |
| CVE-2025-59913 | Alta | No | winCRM |
| CVE-2025-59914 | Alta | No | winCRM |
| CVE-2025-59915 | Alta | No | winCRM |
| CVE-2025-59916 | Alta | No | winCRM |
| CVE-2025-59917 | Alta | No | winCRM |
| CVE-2025-59918 | Media | No | winCRM |
| CVE-2025-59919 | Media | No | winCRM |
