CVE-2025-52575
Summary
EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7.
Impact & exploitability
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://github.com/espocrm/espocrm/commit/8649f1ac0ce714b2c31727bca3dd95d06e17337f ↗