Cyber Resilience

CVE-2023-22952

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 11 January 2023

Published
11 January 2023
Modified
03 November 2025
KEV Added
02 February 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9307 99.8th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22952 is a high-severity Improper Input Validation (CWE-20) vulnerability in Sugarcrm Sugarcrm. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-22952 affects SugarCRM versions prior to 12.0 Hotfix 91155. The flaw stems from insufficient input validation in the EmailTemplates component, allowing a crafted request to inject arbitrary PHP code (CWE-20 and CWE-94). It carries a CVSS 3.1 score of 8.8, reflecting network-accessible exploitation with low attack complexity and low required privileges.

An authenticated attacker can submit a malicious request that results in remote code execution, granting full control over the affected application including the ability to read, modify, or delete data and potentially pivot within the environment. Public proof-of-concept material demonstrates remote shell upload via this vector.

SugarCRM's security advisory directs customers to apply Hotfix 91155, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score remains elevated at 0.93, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

CWE(s)
KEV Date Added
02 February 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sugarcrm
sugarcrm
11.0.0 — 11.0.5 · 12.0.0 — 12.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to EmailTemplates to block crafted requests that inject PHP code.

prevent

Requires mechanisms to detect and block execution of the malicious PHP code injected via the EmailTemplates flaw.

prevent

Mandates timely application of the vendor hotfix 91155 that eliminates the input-validation flaw in EmailTemplates.

References