CVE-2025-25034 PoC — SugarCRM 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-25034.yaml

Associated Vulnerability

Title:SugarCRM 安全漏洞 (CVE-2025-25034)
Description:SugarCRM是美国SugarCRM公司的一套开源的客户关系管理系统（CRM）。该系统支持对不同的客户需求进行差异化营销、管理和分配销售线索，实现销售代表的信息共享和追踪。 SugarCRM存在安全漏洞，该漏洞源于对SugarRestSerialize.php中rest_data参数的反序列化验证不足，可能导致任意代码执行。以下版本受到影响：6.5.24之前版本、6.7.13之前版本、7.5.2.5之前版本、7.6.2.2之前版本和7.7.1.0之前版本。

Description

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors.

File Snapshot


 id: CVE-2025-25034

info:
  name: SugarCRM - Unauthenticated Remote Code Execution via PHP Object In

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!