Blind LDAP Injection Vulnerability in EspoCRM by EspoCRM
CVE-2025-52575

6.5MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 21 July 2025

What is CVE-2025-52575?

EspoCRM, an open source customer relationship management software, is susceptible to a blind LDAP injection vulnerability when LDAP authentication is enabled. This weakness allows remote, unauthenticated attackers to manipulate LDAP queries through specially crafted input featuring wildcard characters, leading to potential bypass of authentication mechanisms, enumeration of valid usernames, or access to sensitive directory information depending on the configuration of the LDAP server. The issue has been addressed in version 9.1.7.

Affected Version(s)

espocrm < 9.1.7

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/espocrm/espocrm/commit/8649f1ac0ce714b...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 21, 2025
Vulnerability Reserved
Jun 18, 2025

Espocrm

What is CVE-2025-52575?

Affected Version(s)

References

CVSS V3.1

Timeline