CVE-2025-54785

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7	Release Notes
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-53cp-mpfw-qj67	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:salesagility:suitecrm:7.14.6:::::::*
	cpe:2.3:a:salesagility:suitecrm:8.8.0:::::::*

History

No history.

Information

Published : 2025-08-07 00:15

Updated : 2025-08-13 18:12

NVD link : CVE-2025-54785

Mitre link : CVE-2025-54785

CVE.ORG link : CVE-2025-54785

JSON object : View

Products Affected

salesagility

suitecrm

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2025-54785", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-08-07T00:15:31.627", "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.14.x/#_7_14_7", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-53cp-mpfw-qj67", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con el cliente (CRM) de c\u00f3digo abierto y lista para empresas. En las versiones 7.14.6 y 8.8.0, la informaci\u00f3n proporcionada por el usuario no se valida ni se desinfecta antes de pasarla a la funci\u00f3n de deserializaci\u00f3n, lo que podr\u00eda provocar intrusiones, escalada de privilegios, exposici\u00f3n de datos confidenciales, denegaci\u00f3n de servicio, criptominer\u00eda y ransomware. Este problema se ha corregido en las versiones 7.14.7 y 8.8.1."}], "lastModified": "2025-08-13T18:12:57.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:salesagility:suitecrm:7.14.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4AF203E-EFE6-4DC2-8C36-041CB6AAFF44"}, {"criteria": "cpe:2.3:a:salesagility:suitecrm:8.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98D0BEC7-4738-47F4-9E25-9C89616886F4"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}