CVE-2025-52575

MEDIUM

Espocrm < 9.1.7 - LDAP Injection

Title source: rule

Description

EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7.

References (2)

[Exploit, Vendor Advisory] https://github.com/espocrm/espocrm/security/advisories/GHSA-rjm8-77fr-4f3v

[Patch] https://github.com/espocrm/espocrm/commit/8649f1ac0ce714b2c31727bca3dd95d06e17337f

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0036

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-90

Status published

Products (1)

espocrm/espocrm < 9.1.7

Published Jul 21, 2025

Tracked Since Feb 18, 2026