Unrated severityNVD Advisory· Published Jul 21, 2025· Updated Jul 21, 2025
EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements
CVE-2025-52575
Description
EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/espocrm/espocrm/commit/8649f1ac0ce714b2c31727bca3dd95d06e17337fmitrex_refsource_MISC
- github.com/espocrm/espocrm/security/advisories/GHSA-rjm8-77fr-4f3vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.