Are we affected by SugarCRM Exploit?

Hello Everyone,

Just lastweek SugarCRM has security exploitation issue and Sugar already created a Hotfix Update to fix this Security issue. My question is are we affected on this or not?

Source:
https://sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload
https://sugarclub.sugarcrm.com/partner-club/f/reseller-discussions/6122/zero-day---auth-bypass-rce-exploit/27979#27979

1 Like

I have tested the vulnerability but it doesn’t seem to effect my suitecrm7. (while it does affect my Sugar Instance while I was testing it)
I am no security expert

1 Like

I see no problem in my first checks, but shurely someone should take a closer look. The exploit is CVE-2023-22952 and I guess we are not concerned but maybe someone experienced in this kind of stuff could please take a look

1 Like

+1 for getting this checked by an expert as soon as possible. We took precautions today and temporarily removed access from public internet. This in turn is raising problems with running email campaigns, which have unsubscribe links pointing at the installation.

I agreed, and I’m still waiting for a response from the sales agility representative regarding their statement on this issue and how it will affect the SuiteCMR.

1 Like

@abuzarfaris, How did you test it on your end? I want to test it too, but I don`t know how to do it.

Yeah, this should be addressed since this exploitation is already available on the internet.

The exploit file is available on the internet (I don’t know whether it’s safe to share it here). Try and run it on your crm. it will tell you whether your crm is responds to it or not. I have analyzed the codes of sugar and suitecrm and I think suitecrm is safe .It’s an extra elseif in suitecrm that prevents the execution from going further

1 Like

The Security Team at SuiteCRM has analysed the most recent, publicly disclosed, vulnerability in SugarCRM: Auth Bypass + RCE Exploit with ‘CVE-2023-22952’.

The currently supported versions of SuiteCRM are unaffected by this vulnerability, based on the information available at this time.

Please take into account that the vulnerability checks are done only under systems that follow the SuiteCRM compatibility matrix and the SuiteCRM installation guide lines.

6 Likes