CVE-2025-25034

CRITICAL EXPLOITED NUCLEI

SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2025-25034 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Egidio Romano, including a Metasploit module exploits/unix/webapp/sugarcrm_rest_unserialize_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23 via unserialize() in the REST API, allowing unauthenticated RCE by writing arbitrary PHP code to the /custom directory.

Description

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

Exploits (2)

exploitdb WORKING POC
by Egidio Romano · rubyremotephp
https://www.exploit-db.com/exploits/40344

This Metasploit module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23 via unserialize() in the REST API, allowing unauthenticated RCE by writing arbitrary PHP code to the /custom directory.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SugarCRM CE <= 6.5.23
No auth needed
Prerequisites: Network access to the SugarCRM REST API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb

This Metasploit module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23 via unsafe unserialize() in the REST API. It abuses the __destruct() method of SugarCacheFile to write arbitrary PHP code to the /custom directory, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SugarCRM CE <= 6.5.23
No auth needed
Prerequisites: Network access to the SugarCRM REST API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection
CRITICALVERIFIEDby Redmomn
FOFA: app="sugarcrm"

References (7)

Core 7

Scores

CVSS v4 9.3
EPSS 0.7150
EPSS Percentile 98.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-06-20
CWE
CWE-502
Status published
Products (4)
SugarCRM/SugarCRM 6.5.0 - 6.5.23
SugarCRM/SugarCRM 6.7.0 - 6.7.12
SugarCRM/SugarCRM 7.5.0 - 7.5.2.4
SugarCRM/SugarCRM 7.6.0 - 7.6.2.1
Published Jun 20, 2025
Tracked Since Feb 18, 2026