SuiteCRM SQL Injection Flaws (CVE-2025-64492, CVE-2025-64493) Expose Customer Data

The maintainers of SuiteCRM, the popular open-source customer relationship management (CRM) platform, have released an urgent security update addressing two significant SQL injection vulnerabilities that could allow authenticated users to extract sensitive data from backend databases.

The flaws, tracked as CVE-2025-64492 and CVE-2025-64493, affect SuiteCRM versions up to and including 8.9.0 and have been patched in version 8.9.1.

The first flaw, CVE-2025-64492, carries a CVSS score of 8.8, marking it as high severity. It exists in a time-based blind SQL injection vulnerability that can be exploited by authenticated users to retrieve database contents indirectly by measuring response delays.

• According to the advisory, a successful attack could allow threat actors to:
• Enumerate database, table, and column names.
• Extract sensitive data including hashed passwords, customer details, and other business-critical information.

In certain configurations, potentially escalate privileges or even achieve remote code execution—though this is “less common with blind SQLi alone.”

“This vulnerability allows an authenticated attacker to infer data from the database by measuring response times… potentially leading to the extraction of sensitive information,” the SuiteCRM security team stated.

Because the flaw requires authentication, exploitation would most likely come from compromised accounts or malicious insiders who already have access to the CRM dashboard.

The second issue, CVE-2025-64493, affects the GraphQL API in SuiteCRM and is rated CVSS 6.5 (Medium). The vulnerability exists in the appMetadata operation of the GraphQL endpoint, which fails to properly sanitize user-supplied input before interacting with the database.

“There is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API,” the advisory confirmed.

Unlike the previous vulnerability, this one was observed in versions 8.6.0 through 8.8.0 and does not require administrative privileges, significantly widening the potential attack surface.

This means that any logged-in user — even those with limited privileges — could potentially leverage the flaw to exfiltrate sensitive customer information or corporate data.

SuiteCRM is widely deployed by businesses and public-sector organizations to manage customer relationships, sales pipelines, and marketing data. A successful SQL injection in such a system could expose confidential CRM data, sales records, and personal information of clients and employees.

Both vulnerabilities have been patched in SuiteCRM version 8.9.1, which the maintainers recommend all users upgrade to immediately.

Related Posts:

• Urgent Security Alert: SuiteCRM Users Urged to Patch Multiple Critical Vulnerabilities
• Critical Flaws Found in Popular LearnPress LMS Plugin for WordPress
• CVE-2024-43360: SQLi Flaw Discovered in Popular Surveillance Software ZoneMinder
• GitLab Patches Two High-Severity Flaws in GraphQL API Affecting Both CE and EE Editions
• CVE-2024-5522 (CVSS 10): Critical Security Flaw Threatens Thousands of WordPress Sites