High (8.8)

Vtiger CRM RCE via .phar upload (CVE-2026-23697) [PoC]

CVE-2026-23697

CVE-2026-23697: Vtiger CRM before 8.4.0 allows low-privileged RCE via .phar file upload bypassing denylist. CVSS 8.8. Update to 8.4.0 or apply Apache 2.4 config.

Exploitation confirmed - public proof-of-concept - CVE-2026-23697 is a high-severity remote code execution vulnerability in Vtiger CRM before 8.4.0 that lets authenticated low-privileged users upload disguised PHP payloads via the Documents module. Patched in version 8.4.0 - upgrade immediately.

Overview

CVE-2026-23697 affects Vtiger CRM versions prior to 8.4.0. The vulnerability stems from an incomplete file extension denylist in config.inc.php that omits .phar files. An authenticated attacker with minimal privileges can upload a malicious .phar file containing arbitrary PHP code through the Documents module.

The uploaded file retains its .phar extension and is stored in the web-accessible storage directory. Additionally, the application ships with a misconfigured .htaccess file written for Apache 2.2 syntax, which Apache 2.4 deployments silently ignore. This means the access control restriction never applies, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.

Impact

Successful exploitation gives an authenticated low-privileged attacker the ability to execute arbitrary PHP code on the Vtiger CRM server. This can lead to full server compromise, data exfiltration, lateral movement within the network, and ransomware deployment. The attack does not require user interaction, and the low complexity makes it accessible even to moderately skilled attackers.

Remediation

Immediate action: Upgrade to Vtiger CRM version 8.4.0 or later. This release adds .phar to the extension denylist and fixes the Apache configuration syntax.

Mitigation (if upgrade is delayed):

  • Replace the .htaccess file in the storage directory with a version using Apache 2.4-compatible IfVersion syntax, or better, implement access controls at the Apache httpd.conf level.
  • Restrict access to the storage directory using Apache Require directives.
  • Deploy a web application firewall (WAF) rule to block .phar file uploads.
  • Review existing uploaded files in the storage directory for malicious content.

Security Insight

This vulnerability demonstrates a recurring pattern in PHP CRM and ERP applications: incomplete deny-list validation combined with silent configuration migration failures. Vtiger’s .phar omission mirrors the same class of flaws found in Apache ActiveMQ (CVE-2026-34197), where small configuration oversights yield full server compromise. Organizations should audit their CRM applications for similar gaps - specifically verifying that file upload denylists are exhaustive and that shipped .htaccess files are verified against the actual server runtime, not a legacy reference.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
JivaSecurity/VTIGER-CRM-RCE-CVE-2026-23697

Vtiger CRM 8.3.0 Authenticated RCE via .phar Upload

★ 0

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.