Vtiger CRM RCE via .phar upload (CVE-2026-23697) [PoC]
CVE-2026-23697
CVE-2026-23697: Vtiger CRM before 8.4.0 allows low-privileged RCE via .phar file upload bypassing denylist. CVSS 8.8. Update to 8.4.0 or apply Apache 2.4 config.
Exploitation confirmed - public proof-of-concept - CVE-2026-23697 is a high-severity remote code execution vulnerability in Vtiger CRM before 8.4.0 that lets authenticated low-privileged users upload disguised PHP payloads via the Documents module. Patched in version 8.4.0 - upgrade immediately.
Overview
CVE-2026-23697 affects Vtiger CRM versions prior to 8.4.0. The vulnerability stems from an incomplete file extension denylist in config.inc.php that omits .phar files. An authenticated attacker with minimal privileges can upload a malicious .phar file containing arbitrary PHP code through the Documents module.
The uploaded file retains its .phar extension and is stored in the web-accessible storage directory. Additionally, the application ships with a misconfigured .htaccess file written for Apache 2.2 syntax, which Apache 2.4 deployments silently ignore. This means the access control restriction never applies, allowing unauthenticated HTTP requests to directly execute the uploaded PHP payload.
Impact
Successful exploitation gives an authenticated low-privileged attacker the ability to execute arbitrary PHP code on the Vtiger CRM server. This can lead to full server compromise, data exfiltration, lateral movement within the network, and ransomware deployment. The attack does not require user interaction, and the low complexity makes it accessible even to moderately skilled attackers.
Remediation
Immediate action: Upgrade to Vtiger CRM version 8.4.0 or later. This release adds .phar to the extension denylist and fixes the Apache configuration syntax.
Mitigation (if upgrade is delayed):
- Replace the
.htaccessfile in the storage directory with a version using Apache 2.4-compatibleIfVersionsyntax, or better, implement access controls at the Apachehttpd.conflevel. - Restrict access to the storage directory using Apache
Requiredirectives. - Deploy a web application firewall (WAF) rule to block
.pharfile uploads. - Review existing uploaded files in the storage directory for malicious content.
Security Insight
This vulnerability demonstrates a recurring pattern in PHP CRM and ERP applications: incomplete deny-list validation combined with silent configuration migration failures. Vtiger’s .phar omission mirrors the same class of flaws found in Apache ActiveMQ (CVE-2026-34197), where small configuration oversights yield full server compromise. Organizations should audit their CRM applications for similar gaps - specifically verifying that file upload denylists are exhaustive and that shipped .htaccess files are verified against the actual server runtime, not a legacy reference.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| JivaSecurity/VTIGER-CRM-RCE-CVE-2026-23697 Vtiger CRM 8.3.0 Authenticated RCE via .phar Upload | ★ 0 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by sub...
Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshel...
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint....
Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController...