Vulnerability Description
EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Espocrm | Espocrm | < 9.1.7 |
Related Weaknesses (CWE)
References
- https://github.com/espocrm/espocrm/commit/8649f1ac0ce714b2c31727bca3dd95d06e1733Patch
- https://github.com/espocrm/espocrm/security/advisories/GHSA-rjm8-77fr-4f3vExploitVendor Advisory
FAQ
What is CVE-2025-52575?
CVE-2025-52575 is a vulnerability with a CVSS score of 6.5 (MEDIUM). EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unau...
How severe is CVE-2025-52575?
CVE-2025-52575 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-52575?
Check the references section above for vendor advisories and patch information. Affected products include: Espocrm Espocrm.