CVE-2025-64492

SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.

INFO

Published Date :

2025-11-08T01:07:23.393Z

Last Modified :

2025-11-10T15:14:20.621Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-64492 vulnerability.

Vendors	Products
Salesagility	Suitecrm
Suitecrm	Suitecrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64492.

URL	Resource
https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact