SuiteCRM suffers from a critical remote code execution vulnerability in its ModuleScanner.php component, specifically in the PHP token parsing logic. The flaw mismanages the internal $checkFunction flag when encountering single‑character tokens, allowing attackers to conceal calls to dangerous functions such as system() or exec() behind variable assignments or string concatenation. Because the vulnerability can be exploited by authenticated administrators, anyone with admin privileges can run arbitrary system commands, compromising the confidentiality, integrity, and availability of the entire system. The weakness maps to CWE‑358 (PHP token parsing error) and CWE‑94 (code injection).

Affected products are SuiteCRM 7.15.0 and 8.9.2. The issue was introduced when the vendor attempted to patch CVE‑2024‑49774 in version 7.14.5, but the underlying flaw persisted. Versions 7.15.1 and 8.9.3 contain the fix. Therefore, any installation running 7.15.0 or 8.9.2 remains vulnerable. Other SuiteCRM releases are not listed as affected.

The CVSS score of 9.1 indicates a high severity of remote code execution. An EPSS score under 1% suggests that the probability of exploitation is very low currently, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation still requires an authenticated administrator, which is a plausible privilege for many organisations. The attack proceeds by bypassing the ModuleLoader Package Scanner security checks, enabling an attacker to embed malicious function calls that evade detection. If exploited, the attacker could gain full control over the web server and potentially the underlying operating system.