CVE-2025-64488

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtration, complete database compromise, and other various issues. This issue is fixed in versions 7.14.8 and 8.9.1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131	Patch
https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d	Patch
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5v53-v44q-ww2c	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:salesagility:suitecrm::::::::
	cpe:2.3:a:salesagility:suitecrm::::::::

History

25 Nov 2025, 17:29

Type	Values Removed	Values Added
Summary		(es) SuiteCRM es una aplicación de software de Gestión de Relaciones con Clientes (CRM) de código abierto y lista para empresas. En las versiones 7.14.7 e inferiores y 8.0.0-beta.1 hasta 8.9.0, un atacante puede elaborar un call_id malicioso que altera la lógica de la consulta SQL o inyecta SQL arbitrario. Un ataque puede conducir a un acceso no autorizado a datos y exfiltración de datos, compromiso completo de la base de datos y otros problemas diversos. Este problema está solucionado en las versiones 7.14.8 y 8.9.1.
First Time		Salesagility Salesagility suitecrm
References	~~() https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131 -~~	() https://github.com/SuiteCRM/SuiteCRM-Core/commit/30277cfe69755f7360a23d4805e06a5c38f14131 - Patch
References	~~() https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d -~~	() https://github.com/SuiteCRM/SuiteCRM/commit/40da2845a170832a4e9e9fa0ebe731f8c34de42d - Patch
References	~~() https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5v53-v44q-ww2c -~~	() https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5v53-v44q-ww2c - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:salesagility:suitecrm::::::::

08 Nov 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-08 00:15

Updated : 2025-11-25 17:29

NVD link : CVE-2025-64488

Mitre link : CVE-2025-64488

CVE.ORG link : CVE-2025-64488

JSON object : View

Products Affected

salesagility

suitecrm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10