EspoCRM Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) Vulnerability - CVE-2025-52575 - Vulnerability Database

EspoCRM

EspoCRM Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) Vulnerability - CVE-2025-52575

Medium

Reference: CVE-2025-52575

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-52575

Title: EspoCRM Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) Vulnerability

Overview:

EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g. ). This may allow the attacker to bypass authentication controls enumerate valid usernames or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7.