SuiteCRM is an open – source customer relationship management (C RM) platform, developed based on SugarCR M, which provides a full range of customer management, sales, marketing and service support functions. Thanks to its flexible customization capabilities, reasonable implementation costs, and broad support community, SuiteCRM is chosen by many small and medium – sized enterprises in Vietnam, especially in the fields of commerce, services, and information technology. However, the centralized storage of large amounts of customer data also makes the platform an attractive target of cyber attacks.
Recently, SuiteCRM issued an emergency alert after detecting two serious injection SQL vulnerabilities existing in older versions of the system. These two vulnerabilities may allow the authenticated attacker to exploit to extract sensitive data directly from the database, posing a major risk to customer information and business operations of the business.
The first breach, CVE-2025-64492, was rated high severity with a CVSS score of 8.8. This is a time-based blind SQL injection, in which the attacker takes advantage of the system’s feedback delay to infer and step by step extract data. If exploited successfully, the object can list the database structure, tables, columns, and collect sensitive information such as hashed passwords or customer data. This vulnerability requires that the account be authenticated, so the risk comes primarily from hijacked accounts or intentional internal behavior.
A second vulnerability, CVE-2025-64493, exists in the GraphQL API’s appMetadata operation on SuiteCRM versions 8.6.0 to 8.8.0. The concern is that the vulnerability does not require administrative rights, meaning any logged – in user could be used to perform an attack. Similar to CVE-2025-64492, it is also a time-based blind injection SQL format, allowing data extraction without leaving an immediate clear mark.
SuiteCRM released patches for both vulnerabilities in version 8.9.1, and recommends that all users upgrade immediately to eliminate the risk of exploitation. In addition to software updates, security experts also proposed that the enterprise adopt additional measures such as enabling multifactorial authentication, limiting access to GraphQL APIs over internal networks or VPNs, deploying web application firewalls, and enhancing monitoring of logbook queries and logins. In the context of CRM platforms increasingly being targeted by hackers, proactive patching and tightening security controls are key elements to protecting data and corporate reputation.
