Platform
php
Component
suitecrm
Fixed in
7.10.8
CVE-2019-25663 describes a SQL injection vulnerability discovered in SuiteCRM. This flaw allows authenticated attackers to manipulate database queries, potentially leading to unauthorized access to sensitive information. The vulnerability affects SuiteCRM versions 7.10.7 through 7.10.7, and a patch is available in version 7.10.16.
An attacker exploiting this SQL injection vulnerability can inject malicious SQL code through the parentTab parameter within the email module's GET requests. By leveraging boolean-based SQL injection techniques, they can bypass security measures and directly query the database. This allows for the extraction of sensitive data, including user credentials, customer information, and potentially other confidential business data. Successful exploitation could lead to a significant data breach and compromise the integrity of the SuiteCRM system. The impact is amplified if SuiteCRM is integrated with other critical business applications, as the attacker could potentially use this vulnerability as a stepping stone for lateral movement within the network.
CVE-2019-25663 was published on 2026-04-05. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for data theft make it a concerning vulnerability. The vulnerability's presence in a widely used CRM system increases the likelihood of exploitation attempts. No KEV listing is currently available.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25663 is to upgrade SuiteCRM to version 7.10.16 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the parentTab parameter in the email module. Additionally, carefully review and restrict user permissions within SuiteCRM to limit the potential impact of a successful attack. Regularly audit database access logs for suspicious activity.
Update SuiteCRM to version 7.10.16 or later to mitigate the SQL Injection vulnerability. Ensure you back up your database before applying the update. Refer to the official SuiteCRM documentation for detailed instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25663 is a SQL injection vulnerability in SuiteCRM versions 7.10.7–7.10.7, allowing attackers to manipulate database queries and potentially extract sensitive data.
If you are running SuiteCRM versions 7.10.7–7.10.7, you are potentially affected by this vulnerability. Upgrade to 7.10.16 or later to mitigate the risk.
The recommended fix is to upgrade SuiteCRM to version 7.10.16 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL injection attempts.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official SuiteCRM security advisory for detailed information and updates regarding CVE-2019-25663.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.