What is the CVSS score of CVE-2025-25034?

CVE-2025-25034 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 73.5%.

Which versions of PHP are affected by CVE-2025-25034?

SugarCRM versions 6.5.x through 7.7.x contain a critical PHP object injection vulnerability enabling unauthenticated remote code execution.. A patch is available.

Is there a public PoC exploit available for CVE-2025-25034?

Yes, a public proof-of-concept exploit is available for CVE-2025-25034. Prioritise patching immediately. EPSS: 73.5%.

How to fix or mitigate CVE-2025-25034?

Within 24 hours: Identify all SugarCRM instances and document current versions. Within 7 days: Apply vendor patches immediately - upgrade to SugarCRM 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, or 7.7.1.0 or later depending on your current version line. Within 30 days: Conduct forensic review of access logs for the rest_data parameter and SugarRestSerialize.php since deployment to identify potential compromise; rotate credentials for accounts accessible via affected instances.

PHP CVE-2025-25034

EUVD-2025-18782 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-20 disclosure@vulncheck.com

PHP RCE Deserialization

9.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:53 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

6.5.23,7.5.2.4,6.7.12

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-18782

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

PoC Detected

Nov 20, 2025 - 17:15 vuln.today

Public exploit code

CVE Published

Jun 20, 2025 - 19:15 nvd

CRITICAL 9.3

DescriptionNVD

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the rest_data parameter before passing it to the unserialize() function. This allows an unauthenticated attacker to submit crafted serialized data containing malicious object declarations, resulting in arbitrary code execution within the application context. Although SugarCRM released a prior fix in advisory sugarcrm-sa-2016-001, the patch was incomplete and failed to address some vectors. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-13 UTC.

AnalysisAI

SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 contain a PHP object injection vulnerability via the SugarRestSerialize.php script. The rest_data parameter is passed to unserialize() without validation, allowing unauthenticated attackers to inject malicious PHP objects for remote code execution.

Technical ContextAI

The SugarRestSerialize.php script deserializes the rest_data POST parameter using PHP's unserialize() function without input validation. An attacker can craft a serialized PHP object with magic methods (__destruct, __wakeup, __toString) that trigger arbitrary code execution during deserialization. SugarCRM's large codebase provides numerous gadget chains for exploitation.

RemediationAI

Update SugarCRM to a patched version. Restrict access to the REST API endpoint. Deploy a WAF with PHP serialization detection rules. Monitor the web root for unauthorized file creation.

CVE-2025-25034 vulnerability details – vuln.today

Back