CVE-2025-25034

Scores

EPSS

0.730medium73.0%

0%20%40%60%80%100%

Percentile: 73.0%

CVSS

9.3critical4.0

0246810

CVSS Score: 9.3/10

All CVSS Scores

CVSS 4.0

9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector Breakdown

CVSS (Common Vulnerability Scoring System) vector provides detailed metrics about vulnerability characteristics

CVSS

Attack Vector

Network (N)

Describes how the vulnerability is exploited

AV:N

Attack Complexity

Low (L)

Describes the conditions beyond the attacker's control

AC:L

Attack Requirements

None

AT:N

Privileges Required

None (N)

Describes the level of privileges an attacker must possess

PR:N

User Interaction

None (N)

Captures the requirement for a human user participation

UI:N

Vulnerable System Confidentiality

High (H)

Measures the impact to the confidentiality of information

VC:H

Vulnerable System Integrity

High (H)

Measures the impact to integrity of a successfully exploited vulnerability

VI:H

Vulnerable System Availability

High (H)

Measures the impact to the availability of the impacted component

VA:H

Subsequent System Confidentiality

None (N)

Measures the impact to the confidentiality of information

SC:N

Subsequent System Integrity

None (N)

Measures the impact to integrity of a successfully exploited vulnerability

SI:N

Subsequent System Availability

None (N)

Measures the impact to the availability of the impacted component

SA:N

Temporal Metrics

Exploit Code Maturity

Not Defined

E:X

Environmental Metrics

Confidentiality Requirement

Not Defined

CR:X

Integrity Requirement

Not Defined

IR:X

Availability Requirement

Not Defined

AR:X

Modified Attack Vector

Not Defined

Describes how the vulnerability is exploited

MAV:X

Modified Attack Complexity

Not Defined

Describes the conditions beyond the attacker's control

MAC:X

Modified Attack Requirements

Not Defined

MAT:X

Modified Privileges Required

Not Defined

Describes the level of privileges an attacker must possess

MPR:X

Modified User Interaction

Not Defined

Captures the requirement for a human user participation

MUI:X

Modified Vulnerable System Confidentiality

Not Defined

Measures the impact to the confidentiality of information

MVC:X

Modified Vulnerable System Integrity

Not Defined

Measures the impact to integrity of a successfully exploited vulnerability

MVI:X

Modified Vulnerable System Availability

Not Defined

Measures the impact to the availability of the impacted component

MVA:X

Modified Subsequent System Confidentiality

Not Defined

Measures the impact to the confidentiality of information

MSC:X

Modified Subsequent System Integrity

Not Defined

Measures the impact to integrity of a successfully exploited vulnerability

MSI:X

Modified Subsequent System Availability

Not Defined

Measures the impact to the availability of the impacted component

MSA:X

Description

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.

Learn more about Scaner-VS 7

Sources

anchore_overrides

CWEs

CWE-502

Vulnerable Software (1)

Type: Configuration

Operating System:

Trait:

{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",          "versionEndExcluding": "6.5.23",          "versionStartIncluding"...

{  "children": [    {      "cpe_match": [        {          "cpe23uri": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",          "versionEndExcluding": "6.5.23",          "versionStartIncluding": "6.5.0"        },        {          "cpe23uri": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",          "versionEndExcluding": "6.7.12",          "versionStartIncluding": "6.7.0"        },        {          "cpe23uri": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",          "versionEndExcluding": "7.5.2.4",          "versionStartIncluding": "7.5.0"        },        {          "cpe23uri": "cpe:2.3:a:sugarcrm:sugarcrm:*:*:*:*:*:*:*:*",          "versionEndExcluding": "7.6.2.1",          "versionStartIncluding": "7.6.0"        }      ],      "negate": false,      "operator": "OR"    }  ],  "operator": "OR"}

Source: anchore_overrides

End of list