Platform
php
Component
suitecrm
Fixed in
7.14.5
8.0.1
CVE-2024-36409 describes a critical SQL Injection vulnerability affecting SuiteCRM, an open-source CRM application. This flaw arises from insufficient input validation within the Tree data entry point, enabling attackers to execute arbitrary SQL queries. The vulnerability impacts versions prior to 7.14.4 and 8.6.1. A patch is available in version 7.14.4.
Successful exploitation of CVE-2024-36409 allows an attacker to bypass security measures and directly manipulate the database underlying SuiteCRM. This could lead to unauthorized access, modification, or deletion of sensitive customer data, financial records, and other critical business information. Depending on database privileges, an attacker might also be able to gain control of the underlying server, facilitating lateral movement within the network. The potential blast radius is significant, as a compromised SuiteCRM instance can expose a wide range of confidential data.
CVE-2024-36409 was publicly disclosed on June 10, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-36409 is to immediately upgrade SuiteCRM to version 7.14.4 or later. If upgrading is not feasible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attempts targeting the Tree data entry point. Input validation and sanitization techniques should be implemented at the application level to further reduce the attack surface. Regularly review and update database user permissions to limit the potential impact of a successful attack.
Update SuiteCRM to version 7.14.4 or higher, or to version 8.6.1 or higher. This will correct the SQL Injection vulnerability. It is recommended to create a backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-36409 is a critical SQL Injection vulnerability in SuiteCRM versions prior to 7.14.4 and 8.6.1, allowing attackers to manipulate the database through insufficient input validation.
You are affected if you are running SuiteCRM versions 8.0.0 or earlier, or versions between 8.0.0 and 8.6.1 (exclusive).
Upgrade SuiteCRM to version 7.14.4 or later to patch the vulnerability. Consider implementing a WAF as an interim measure if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are currently known, the CRITICAL severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official SuiteCRM security advisory for detailed information and updates: [https://suitecrm.com/security/bulletin-2024-0003](https://suitecrm.com/security/bulletin-2024-0003)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.