Home

Description

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

PUBLISHED Reserved 2025-01-31 | Published 2025-06-20 | Updated 2025-11-20 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

6.5.0 (semver) before 6.5.23
affected

6.7.0 (semver) before 6.7.12
affected

7.5.0 (semver) before 7.5.2.4
affected

7.6.0 (semver) before 7.6.2.1
affected

Credits

Egidio Romano finder

References

web.archive.org/...ugarcrm.com/security/sugarcrm-sa-2016-008 vendor-advisory

web.archive.org/...ugarcrm.com/security/sugarcrm-sa-2016-001 vendor-advisory

karmainsecurity.com/KIS-2016-07 technical-description third-party-advisory

www.exploit-db.com/exploits/40344 exploit

raw.githubusercontent.com/...garcrm_rest_unserialize_exec.rb exploit

www.sugarcrm.com/crm/ product

vulncheck.com/advisories/sugarcrm-php-deserialization-rce third-party-advisory

cve.org (CVE-2025-25034)

nvd.nist.gov (CVE-2025-25034)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.