QwikSec

Security Database

CVE

CWE

Training

CVE-2025-25034

Published: Jun 20, 2025

Modified: May 14, 2026

PUBLISHED

Description

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

Vendor	Product	Versions
SugarCRM	SugarCRM	affected `6.5.0 - < 6.5.23` affected `6.7.0 - < 6.7.12` affected `7.5.0 - < 7.5.2.4` affected `7.6.0 - < 7.6.2.1`

Weaknesses (CWE)

References

https://web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-008

vendor-advisory

https://web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa-2016-001

vendor-advisory

https://karmainsecurity.com/KIS-2016-07

technical-description

third-party-advisory

https://www.exploit-db.com/exploits/40344

exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/sugarcrm_rest_unserialize_exec.rb

exploit

https://www.sugarcrm.com/crm/

product

https://vulncheck.com/advisories/sugarcrm-php-deserialization-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.