CVE-2025-54785 HIGH

CVE-2025-54785: SuiteCRM is Vulnerable to PHP Object Injection in Reports

Vendor Suitecrm
Product SuiteCRM
Weakness CWE-20 · Input validation
Published August 6, 2025
Last update August 7, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1.

Key dates

02Disclosure timeline

August 6, 2025 CVE published
August 7, 2025 Record updated