CVE-2025-54785

HIGH

SuiteCRM 7.14.6 and 8.8.0 - Unauthenticated PHP Object Injection via Unserialize

Title source: llm

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-53cp-mpfw-qj67

Release Notes x_refsource_misc

https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7

Scores

CVSS v3 8.8

EPSS 0.0035

EPSS Percentile 26.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (2)

salesagility/suitecrm 7.14.6

salesagility/suitecrm 8.8.0

Published Aug 07, 2025

Tracked Since Feb 18, 2026