A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 16 Jul 2025 18:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Wed, 16 Jul 2025 18:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Mon, 23 Jun 2025 16:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Fri, 20 Jun 2025 19:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. | |
| Title | SugarCRM PHP Deserialization RCE | |
| Weaknesses | CWE-502 | |
| References |  | 
 | 
| Metrics | cvssV4_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-06-20T18:34:13.197Z
Updated: 2025-07-16T17:57:03.494Z
Reserved: 2025-01-31T18:32:36.213Z
Link: CVE-2025-25034
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-06-23T15:30:01.365Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2025-06-20T19:15:35.693
Modified: 2025-07-16T18:15:24.067
Link: CVE-2025-25034
 Redhat
                        Redhat
                    No data.