CVE-2025-52575
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-08-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | to 9.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a blind LDAP Injection in EspoCRM versions 9.1.6 and earlier when LDAP authentication is enabled. An unauthenticated remote attacker can inject specially crafted input containing wildcard characters (like '*') into LDAP queries, manipulating them without proper sanitization. This allows the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. The issue arises because the application constructs LDAP queries using user input without properly escaping special LDAP characters. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing a remote attacker to bypass authentication controls, potentially gaining unauthorized access. It also enables enumeration of valid usernames, which can aid further attacks such as brute forcing passwords. Additionally, the attacker might retrieve sensitive directory information or cause denial of service by issuing expensive LDAP queries. The impact includes low confidentiality loss and low availability impact, with no integrity loss. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject LDAP wildcard characters (e.g., '*') into the username field of the EspoCRM login form and observing the response. For example, submitting '*' or 'al*' as the username may return valid user entries or bypass authentication. Network monitoring tools can be used to detect unusual LDAP query patterns containing wildcard characters. Specific commands are not provided in the resources, but testing login attempts with wildcard characters and monitoring LDAP queries for unsanitized input can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade EspoCRM to version 9.1.7 or later, where the vulnerability has been fixed by properly escaping special LDAP characters in the username input. If upgrading is not immediately possible, ensure that LDAP authentication is disabled or restrict access to the login interface to trusted users only. Additionally, monitor and filter LDAP queries to detect and block injection attempts. [1, 2]