Strix
26.1K

CVE-2025-64492

HIGHCVSS 8.8/10EPSS 0.30%

Last modified

CVE-2025-64492 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. EPSS estimates a 0.30% chance of exploitation in the next 30 days.

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.30%

21.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SalesagilitySuitecrm>= 8.0.0, < 8.9.1

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-64492?
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.
How severe is CVE-2025-64492?
CVE-2025-64492 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.30% probability of exploitation in the next 30 days.
How do I fix CVE-2025-64492?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-64492?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST