CVE-2025-25034

EPSS 2.97%
Veröffentlicht 20.06.2025 18:34:13
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

SugarCRM PHP Deserialization RCE

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerSugarCRM

≫

Produkt SugarCRM

Default Statusunaffected

Version 6.5.0

Version < 6.5.23

Status affected

Version 6.7.0

Version < 6.7.12

Status affected

Version 7.5.0

Version < 7.5.2.4

Status affected

Version 7.6.0

Version < 7.6.2.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.97%	0.855

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008

https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001

https://karmainsecurity.com/KIS-2016-07

https://www.exploit-db.com/exploits/40344

https://www.sugarcrm.com/crm/

https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb

https://nvd.nist.gov/vuln/detail/CVE-2025-25034

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-25034

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-25034

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-25034