cbcvebase.
CVE-2025-25034
published 2025-06-20

CVE-2025-25034: A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP…

PriorityP182critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.97%
85.5th percentile
A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

Affected

4 ranges
VendorProductVersion rangeFixed in
sugarcrmsugarcrm>= 6.5.0 < 6.5.236.5.23
sugarcrmsugarcrm>= 6.7.0 < 6.7.126.7.12
sugarcrmsugarcrm>= 7.5.0 < 7.5.2.47.5.2.4
sugarcrmsugarcrm>= 7.6.0 < 7.6.2.17.6.2.1

Detection & IOCsextracted from sources · hover to see the quote

url/service/v4/rest.php
path/service/core/REST/SugarRestSerialize.php
pathcustom/
commandmethod=login&input_type=Serialize&rest_data=O:14:"SugarCacheFile":23:{S:17:"\00*\00_cacheFileName";s:22:"../{{filepath}}";S:16:"\00*\00_cacheChanged";b:1;S:14:"\00*\00_localStore";a:1:{i:0;s:30:"";}}
  • Monitor POST requests to /service/v4/rest.php with Content-Type: application/x-www-form-urlencoded where the body contains input_type=Serialize and rest_data beginning with a PHP serialized object (e.g., 'O:14:"SugarCacheFile"').
  • Alert on unauthenticated HTTP GET requests to files under the /custom/ directory with a .php extension, which may indicate a successfully written webshell via the SugarCacheFile __destruct() gadget chain.
  • Exploitation evidence was observed in the wild by the Shadowserver Foundation on 2024-09-13 UTC; correlate logs around that date for retrospective hunting.
  • The vulnerable parameter is rest_data passed to unserialize() in SugarRestSerialize.php; inspect WAF/IDS logs for serialized PHP object payloads (pattern 'O:[0-9]+:"SugarCacheFile"') in POST bodies to the REST endpoint.
  • ·The prior vendor patch (sugarcrm-sa-2016-001) was incomplete and did not address all exploitation vectors; instances patched only to that advisory remain vulnerable.
  • ·The Nuclei template uses a two-step flow: step 1 writes a PHP file via the serialized payload, step 2 GETs the dropped file to confirm execution. Detection logic must account for both requests to avoid false negatives.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.