PatchSiren

PatchSiren cyber security CVE debrief

CVE-2020-37094 EspoCRM CVE debrief

CVE-2020-37094 details an authentication token reuse vulnerability in EspoCRM 5.7.0 prior to 5.9.0. This vulnerability allows authenticated attackers to bypass two-factor authentication by exploiting token-to-password-hash mapping. Attackers can obtain an authentication token for a controlled account and replay it against any victim account sharing the same password, bypassing the victim's 2FA protections. The vulnerability exists due to the binding of authentication tokens to password hashes rather than unique per-user values.

Vendor
EspoCRM
Product
Unknown
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-03
Original CVE updated
2026-07-10
Advisory published
2026-02-03
Advisory updated
2026-07-10

Who should care

System administrators and security professionals responsible for EspoCRM installations, particularly those using versions 5.7.0 to 5.8.5, should be aware of this vulnerability. This vulnerability could allow attackers to bypass two-factor authentication, potentially leading to unauthorized access to sensitive information. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed.

Technical summary

The vulnerability exists in the EspoCRM application, specifically in the file application/Espo/Core/Utils/Authentication/Espo.php. The issue arises from the fact that authentication tokens are bound to password hashes rather than unique per-user values. This allows an attacker with a valid authentication token for one account to use it for another account that has the same password, effectively bypassing two-factor authentication for the second account. The vulnerability affects EspoCRM versions 5.7.0 prior to 5.9.0.

Defensive priority

High

Recommended defensive actions

  • Update EspoCRM to version 5.9.0 or later
  • Implement additional monitoring for authentication attempts
  • Consider using more secure authentication methods
  • Review and update password policies for EspoCRM users
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-02-03T22:16:25.673Z and was last modified on 2026-07-10T15:16:35.133Z. The NVD entry is currently Modified. This information is based on the supplied source corpus and may not reflect the current state of the vulnerability. Defenders should verify the affected scope and severity with the official CVE record and NVD entry. The vulnerability affects EspoCRM versions 5.7.0 prior to 5.9.0.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-03T22:16:25.673Z and has not been modified since then. The NVD entry is currently Modified.