CVE-2025-25034

EPSS 70.09%
Veröffentlicht 20.06.2025 18:34:13
Zuletzt bearbeitet 20.11.2025 17:15:49
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerSugarCRM

≫

Produkt SugarCRM

Default Statusunaffected

Version < 6.5.23

Version 6.5.0

Status affected

Version < 6.7.12

Version 6.7.0

Status affected

Version < 7.5.2.4

Version 7.5.0

Status affected

Version < 7.6.2.1

Version 7.6.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	70.09%	0.986

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008

https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001

https://karmainsecurity.com/KIS-2016-07

https://www.exploit-db.com/exploits/40344

https://www.sugarcrm.com/crm/

https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb

https://nvd.nist.gov/vuln/detail/CVE-2025-25034

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-25034

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-25034

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-25034