CVE-2025-25034
CRITICAL EXPLOITED NUCLEISugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection
Title source: nucleiDescription
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.
Exploits (2)
metasploit
WORKING POC
EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
Nuclei Templates (1)
SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection
CRITICALVERIFIEDby Redmomn
FOFA:
app="sugarcrm"
References (7)
Scores
CVSS v4
9.3
EPSS
0.7298
EPSS Percentile
98.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Details
VulnCheck KEV
2025-06-20
CWE
CWE-502
Status
published
Products (4)
SugarCRM/SugarCRM
6.5.0 - 6.5.23
SugarCRM/SugarCRM
6.7.0 - 6.7.12
SugarCRM/SugarCRM
7.5.0 - 7.5.2.4
SugarCRM/SugarCRM
7.6.0 - 7.6.2.1
Published
Jun 20, 2025
Tracked Since
Feb 18, 2026