CVE-2025-64493

Published Nov 8, 2025

Last updated 5 months ago

CVSS medium 6.5

Overview

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.
Source
security-advisories@github.com
NVD status
Analyzed
Products
suitecrm

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-89

Social media

Hype score
Not currently trending

  1. ☑️ Multiple SuiteCRM Vulnerabilities Exposed — CVSS 6.5 to 8.8 HIGH Severity ​ 🎯 Affected Vulnerabilities​ CVE-2025-64492 (CVSS 8.8): Time-based Blind SQL Injection​ CVE-2025-64493 (CVSS 6.5): Blind SQL Injection via GraphQL API​ These flaws give attackers a di

    @CriminalIP_US

    13 Nov 2025

    728 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨🚨SuiteCRM SQL Injection Flaws CVE-2025-64492: Authenticated Time Based Blind SQL Injection CVE-2025-64493: Authenticated Blind SQL Injection via GraphQL ZoomEye Dork👉app="SuiteCRM" 24.6k+ live targets. ZoomEye Link: https://t.co/1O3iHAij5U Refer: 1. https://t.co/cVWW

    @zoomeye_team

    11 Nov 2025

    1268 Impressions

    7 Retweets

    14 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-64493 Authenticated Blind SQL Injection in SuiteCRM GraphQL API 8.6.0-8.9.0 https://t.co/HwA3SyNifE

    @VulmonFeeds

    8 Nov 2025

    37 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-64493 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allo

    @threatquarters

    8 Nov 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-64493 SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, … https://t.co/PqXASo9Fhi

    @CVEnew

    8 Nov 2025

    193 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.CVE-2026-33289
  2. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.CVE-2026-33288
  3. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.CVE-2026-32697
  4. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.CVE-2026-29189
  5. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.CVE-2026-29109

References

Sources include official advisories and independent security research.