CVE-2025-25034
BaseFortify
Publication date: 2025-06-20
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP object injection in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0. It occurs because the application improperly validates PHP serialized input in the SugarRestSerialize.php script. Specifically, the rest_data parameter is not sanitized before being passed to the unserialize() function, allowing an unauthenticated attacker to submit crafted serialized data containing malicious object declarations. This can lead to arbitrary code execution within the application context.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to execute arbitrary code within the context of the SugarCRM application. This could lead to full compromise of the application, unauthorized access to sensitive data, disruption of services, and potentially further attacks on the underlying system or network.