Authenticated SSRF Vulnerability in EspoCRM 9.3.3 Exposes Internal Services
What Happened — A newly disclosed CVE‑2026‑33534 allows an authenticated attacker to craft specially‑formatted IPv4 notations (octal, hex, short forms) that bypass EspoCRM’s URL validation, forcing the server to issue HTTP requests to internal addresses (SSRF). The exploit is publicly available on Exploit‑DB and can be used to reach localhost, internal APIs, or cloud metadata services.
Why It Matters for TPRM —
- SSRF can be leveraged to pivot into the vendor’s internal network, exposing customer data or enabling ransomware.
- SaaS CRM platforms often host sensitive business data; a breach could cascade to client organizations.
- The vulnerability is authenticated, meaning compromised credentials (phished or reused) can be weaponized quickly.
Who Is Affected — SaaS CRM providers, their downstream customers in finance, healthcare, and other data‑intensive sectors; any organization that integrates EspoCRM via API or UI.
Recommended Actions —
- Verify whether any EspoCRM instances in your supply chain run version 9.3.3 or earlier.
- Patch to the latest fixed release (≥ 9.3.4) or apply the vendor’s mitigation (input validation).
- Rotate all privileged EspoCRM credentials and enforce MFA.
- Conduct internal scans for SSRF payloads and monitor outbound traffic for anomalous internal requests.
Technical Notes — Authenticated SSRF via alternative IPv4 notation; CVE‑2026‑33534; exploit script available on Exploit‑DB; affects the web‑application layer and can be used to reach internal services such as metadata endpoints. Source: https://www.exploit-db.com/exploits/52583