CVE-2025-52575

Name of the Vulnerable Software and Affected Versions EspoCRM versions 9.1.6 and earlier

Description EspoCRM is an Open Source CRM (Customer Relationship Management) software. Versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration.

Recommendations Update to version 9.1.7 or later.