Action Required: Apply critical security vulnerability hotfix to your on-premise instances

We take security very seriously here at SugarCRM.  Last week we notified all partners and customers of a publicly disclosed vulnerability affecting our Sugar Sell, Serve, Enterprise, Professional, and Ultimate software solutions. The hotfix was released on Jan 4th. This follow-up FAQ was published on Jan 5th and has been frequently updated. We also hosted partner calls to clarify any questions on Jan 6th and Jan 11th.

We strongly recommend that all Sugar developers immediately apply this hotfix to any and all Sugar on-premise instances under your control including local development and test sandboxes. Customer Developers can contact Sugar Support to get access to the hotfix. Partner Developers can follow the instructions to download the hotfix in this PartnerClub hotfix post. The hotfix can be applied by following the steps in this Knowledge Base article and with the assistance of Sugar Support as necessary.

SugarCloud-based instances created using Demo Builder (, or hosted in our production environment (, have already been patched. No further action is needed for SugarCloud environments.

Please contact if you have any questions or need any clarifications.