Deserialization in Sugarcrm
CVE-2025-25034
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to s…
Vulnerability class: Insecure Deserialization
EPSS: 0.715 (98.7th percentile) — read the EPSS interpretation.
Affected products
- Sugarcrm — versions 6.5.0, 6.7.0, 7.5.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- web.archive.org/web/20160725194502/http://www.sugarcrm.com/security/sugarcrm-sa… (vendor-advisory)
- web.archive.org/web/20160508053502/http://www.sugarcrm.com/security/sugarcrm-sa… (vendor-advisory)
- karmainsecurity.com/KIS-2016-07 (technical-description, third-party-advisory)
- www.exploit-db.com/exploits/40344 (exploit)
- raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/u… (exploit)
- www.sugarcrm.com/crm/ (product)
- vulncheck.com/advisories/sugarcrm-php-deserialization-rce (third-party-advisory)
Frequently asked questions
- What is CVE-2025-25034?
- CVE-2025-25034 is a vulnerability in Sugarcrm, classified under Deserialization of Untrusted Data. Published 2025-06-20.
- Is CVE-2025-25034 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.