CVE-2025-25034 (GCVE-0-2025-25034)
Vulnerability from cvelistv5 – Published: 2025-06-20 18:34 – Updated: 2025-11-20 16:24 X_Known Exploited Vulnerability
VLAI?
Title
SugarCRM PHP Deserialization RCE
Summary
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
Credits
Egidio Romano
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25034",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T15:29:51.587593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T15:30:07.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"REST API endpoint /service/core/REST/SugarRestSerialize.php"
],
"product": "SugarCRM",
"vendor": "SugarCRM",
"versions": [
{
"lessThan": "6.5.23",
"status": "affected",
"version": "6.5.0",
"versionType": "semver"
},
{
"lessThan": "6.7.12",
"status": "affected",
"version": "6.7.0",
"versionType": "semver"
},
{
"lessThan": "7.5.2.4",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
},
{
"lessThan": "7.6.2.1",
"status": "affected",
"version": "7.6.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "6.5.23",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "6.7.12",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "7.5.2.4",
"versionStartIncluding": "7.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "7.6.2.1",
"versionStartIncluding": "7.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Egidio Romano"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the \u003ccode\u003eSugarRestSerialize.php\u003c/code\u003e script. The vulnerable code fails to sanitize the \u003ccode\u003erest_data\u003c/code\u003e parameter before passing it to the \u003ccode\u003eunserialize()\u003c/code\u003e function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory \u003ccode\u003esugarcrm-sa-2016-001\u003c/code\u003e, the patch was incomplete and failed to address some vectors.\u0026nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC."
}
],
"value": "A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Known exploited vulnerability"
}
],
"value": "Known exploited vulnerability"
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T16:24:48.786Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001"
},
{
"tags": [
"technical-description",
"third-party-advisory"
],
"url": "https://karmainsecurity.com/KIS-2016-07"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40344"
},
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb"
},
{
"tags": [
"product"
],
"url": "https://www.sugarcrm.com/crm/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "SugarCRM PHP Deserialization RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-25034",
"datePublished": "2025-06-20T18:34:13.197Z",
"dateReserved": "2025-01-31T18:32:36.213Z",
"dateUpdated": "2025-11-20T16:24:48.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25034\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-23T15:29:51.587593Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-23T15:30:01.365Z\"}}], \"cna\": {\"tags\": [\"x_known-exploited-vulnerability\"], \"title\": \"SugarCRM PHP Deserialization RCE\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Egidio Romano\"}], \"impacts\": [{\"capecId\": \"CAPEC-586\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-586 Object Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SugarCRM\", \"modules\": [\"REST API endpoint /service/core/REST/SugarRestSerialize.php\"], \"product\": \"SugarCRM\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.5.0\", \"lessThan\": \"6.5.23\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.7.0\", \"lessThan\": \"6.7.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"7.5.0\", \"lessThan\": \"7.5.2.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"7.6.0\", \"lessThan\": \"7.6.2.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"Known exploited vulnerability\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Known exploited vulnerability\", \"base64\": false}]}], \"references\": [{\"url\": \"https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://karmainsecurity.com/KIS-2016-07\", \"tags\": [\"technical-description\", \"third-party-advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/40344\", \"tags\": [\"exploit\"]}, {\"url\": \"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.sugarcrm.com/crm/\", \"tags\": [\"product\"]}, {\"url\": \"https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.\\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the \u003ccode\u003eSugarRestSerialize.php\u003c/code\u003e script. The vulnerable code fails to sanitize the \u003ccode\u003erest_data\u003c/code\u003e parameter before passing it to the \u003ccode\u003eunserialize()\u003c/code\u003e function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory \u003ccode\u003esugarcrm-sa-2016-001\u003c/code\u003e, the patch was incomplete and failed to address some vectors.\u0026nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.5.23\", \"versionStartIncluding\": \"6.5.0\"}, {\"criteria\": \"cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.12\", \"versionStartIncluding\": \"6.7.0\"}, {\"criteria\": \"cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.5.2.4\", \"versionStartIncluding\": \"7.5.0\"}, {\"criteria\": \"cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.6.2.1\", \"versionStartIncluding\": \"7.6.0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-20T16:24:48.786Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-25034\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T16:24:48.786Z\", \"dateReserved\": \"2025-01-31T18:32:36.213Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-06-20T18:34:13.197Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…