Description
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.
Published: 2025-06-20
Score: 9.3 Critical
EPSS: 75.4% High
KEV: No
Impact: Remote code execution via PHP unserialize
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can trigger remote code execution by sending specially crafted PHP serialized data into the rest_data parameter of SugarCRM's SugarRestSerialize.php. The application fails to sanitize serialized input before passing it to PHP's unserialize() function, leading to object injection that can execute arbitrary code in the context of the web server. The flaw is present in all SugarCRM releases older than 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0. Because the code runs with the web application privileges, an attacker who succeeds can gain full control of the compromised instance, including data exfiltration and persistence.

Affected Systems

The vulnerability affects SugarCRM's enterprise edition. Affected releases include any version released before 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, or 7.7.1.0. These versions were still enabled by default in many deployments, making the issue widely exploitable for organizations running legacy SugarCRM installations.

Risk and Exploitability

With a CVSS score of 9.3, the flaw is considered critical, and an EPSS score of 75 % indicates a high probability of exploitation at the time of analysis. The vulnerability has not yet been catalogued by CISA KEV, but Shadowserver confirmed exploitation in September 2024. The attack vector is a remote unauthenticated request to the REST endpoint, after which PHP unserialize() is invoked with the attacker‑supplied payload. Unless mitigated, the result is uncontrolled code execution in the application context.

Generated by OpenCVE AI on April 28, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official SugarCRM patch that fully addresses the php deserialization issue, upgrading to at least 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, or 7.7.1.0 releases.
  • Disable or remove the SugarCRM REST API endpoint that accepts the rest_data parameter until a patch is applied.
  • Patch the SugarRestSerialize.php file to validate or sanitize serialized input before calling unserialize, or replace unserialize with a safer deserialization function.

Generated by OpenCVE AI on April 28, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18782 A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.
History

Thu, 20 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
Description A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

Wed, 19 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:enterprise:*:*:*

Wed, 16 Jul 2025 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
References

Mon, 23 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
Description A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.
Title SugarCRM PHP Deserialization RCE
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sugarcrm Sugarcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:08:57.963Z

Reserved: 2025-01-31T18:32:36.213Z

Link: CVE-2025-25034

cve-icon Vulnrichment

Updated: 2025-06-23T15:30:01.365Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T19:15:35.693

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-25034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:45:25Z

Weaknesses