How to fix CVE-2025-64488?

Within 30 days: Identify all affected systems running versions 7.14.7 and below and 8.0.0-beta.1 and apply vendor patches as part of regular patch cycle. Validate that input sanitization is in place for all user-controlled parameters.

Is Suitecrm affected by CVE-2025-64488?

Organizations using versions 7.14.7 and below and 8.0.0-beta.1 face significant risk from CVE-2025-64488, a SQL injection vulnerability rated CVSS 8.6.

CVE-2025-64488

HIGH

2025-11-08 [email protected]

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:21 vuln.today

Patch Released

Mar 28, 2026 - 19:21 nvd

Patch available

CVE Published

Nov 08, 2025 - 00:15 nvd

HIGH 8.6

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtration, complete database compromise, and other various issues. This issue is fixed in versions 7.14.8 and 8.9.1.

Analysis

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Technical Context

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtration, complete database compromise, and other various issues. This issue is fixed in versions 7.14.8 and 8.9.1. Affected products include: Salesagility Suitecrm. Version information: through 8.9.0.

Affected Products

Salesagility Suitecrm.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +43

POC: 0

CVE-2025-64488 vulnerability details – vuln.today

Back

CVE-2025-64488

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-64488

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code