The SuiteCRM vulnerability is a PHAR (PHP Archive) deserialization vulnerability that allows an authenticated administrator to execute commands on the underlying operating system. The vulnerability exists due to the use of serialized metadata in PHAR files, which can be unserialized using PHP object injection. An attacker can exploit this by uploading a malicious PHAR file with a .phar, .zip, or .jpeg extension and triggering the phar:// URI check. SuiteCRM maintainers have taken precautions to prevent exploitation, but an attacker can bypass these checks using capital characters. The vulnerability also exists in the zend-gdata library used as a transitive dependency, which can be leveraged for arbitrary file deletion. An attacker can exploit this by uploading a ZIP PHAR archive and triggering the phar:// URI check. Once triggered, the PHAR deserialization allows an attacker to delete files and execute arbitrary code execution on the system. The vulnerability is mitigated in release 7.11.19 of SuiteCRM.