CVE-2025-25034

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.

CVSS

No CVSS.

References

Link	Resource
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb
https://karmainsecurity.com/KIS-2016-07
https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce
https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001
https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008
https://www.exploit-db.com/exploits/40344
https://www.sugarcrm.com/crm/

Configurations

No configuration.

History

23 Jun 2025, 20:16

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de inyección de objetos PHP en versiones de SugarCRM anteriores a 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2 y 7.7.1.0 debido a una validación incorrecta de la entrada serializada de PHP en el script SugarRestSerialize.php. El código vulnerable no depura el parámetro rest_data antes de pasarlo a la función unserialize(). Esto permite que un atacante no autenticado envíe datos serializados manipulados que contienen declaraciones de objetos maliciosos, lo que provoca la ejecución de código arbitrario en el contexto de la aplicación. Aunque SugarCRM publicó una corrección previa en el aviso sugarcrm-sa-2016-001, el parche estaba incompleto y no solucionaba algunos vectores.

20 Jun 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-20 19:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-25034

Mitre link : CVE-2025-25034

CVE.ORG link : CVE-2025-25034

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-25034", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-20T19:15:35.693", "references": [{"url": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://karmainsecurity.com/KIS-2016-07", "source": "disclosure@vulncheck.com"}, {"url": "https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce", "source": "disclosure@vulncheck.com"}, {"url": "https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001", "source": "disclosure@vulncheck.com"}, {"url": "https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/40344", "source": "disclosure@vulncheck.com"}, {"url": "https://www.sugarcrm.com/crm/", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de objetos PHP en versiones de SugarCRM anteriores a 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2 y 7.7.1.0 debido a una validaci\u00f3n incorrecta de la entrada serializada de PHP en el script SugarRestSerialize.php. El c\u00f3digo vulnerable no depura el par\u00e1metro rest_data antes de pasarlo a la funci\u00f3n unserialize(). Esto permite que un atacante no autenticado env\u00ede datos serializados manipulados que contienen declaraciones de objetos maliciosos, lo que provoca la ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto de la aplicaci\u00f3n. Aunque SugarCRM public\u00f3 una correcci\u00f3n previa en el aviso sugarcrm-sa-2016-001, el parche estaba incompleto y no solucionaba algunos vectores."}], "lastModified": "2025-06-23T20:16:21.633", "sourceIdentifier": "disclosure@vulncheck.com"}