Vtiger CRM lets admins upload webshells (CVE-2026-23698) [PoC]
CVE-2026-23698
CVE-2026-23698: High-severity RCE in Vtiger CRM <=8.4.0. Authenticated admin can upload a PHP web shell via the import feature. Apply vendor patch or remove write access to modules/.
Exploitation confirmed - public proof-of-concept - CVE-2026-23698 is a high-severity authenticated remote code execution vulnerability in Vtiger CRM through version 8.4.0 that allows administrator-level attackers to upload a persistent PHP web shell to the web root. No vendor patch is available yet; apply the mitigations below.
Overview
CVE-2026-23698 resides in the Vtiger CRM ModuleManager import function. An administrator with valid credentials can upload a crafted ZIP archive containing arbitrary PHP files. The application extracts the archive directly into the modules/ directory under the web root and only validates the manifest.xml descriptor. It does not check whether the extracted files are legitimate PHP modules.
Once extracted, the attacker implants a PHP web shell at a predictable URL under the modules/ path. Apache resolves the path and invokes the PHP interpreter before Vtiger’s authentication or authorization layer has a chance to intervene. This gives the attacker persistent, session-independent access to the server.
Impact
An authenticated administrator can:
- Upload and execute arbitrary PHP code on the Vtiger server.
- Maintain persistence through a web shell that survives session timeouts and password changes.
- Use the foothold to pivot to internal systems, escalate privileges, or exfiltrate the CRM database.
The CVSS score is 8.6 (HIGH), reflecting the network accessibility, low attack complexity, and no user interaction required beyond the initial admin login.
Affected Versions
Vtiger CRM through version 8.4.0.
CISA has not confirmed active exploitation of CVE-2026-23698; it is not listed in the Known Exploited Vulnerabilities catalog.
Remediation and Mitigations
No vendor patch exists as of this writing. Apply the following mitigations in order of priority:
- Restrict module upload functionality: Temporarily disable the ModuleManager import for all accounts until a patch is released.
- File system hardening: Remove PHP execution permissions from the
modules/directory via a.htaccessfile or Apache configuration:<Directory /path/to/vtiger/modules> php_flag engine off </Directory> - Monitor file changes: Deploy file integrity monitoring on the
modules/directory for unexpected PHP files. - Audit admin accounts: Review the list of administrator accounts for any that should not have module upload privileges.
Security Insight
CVE-2026-23698 is a textbook example of a vulnerability that arises when a trusted feature (module import) lacks the proper input validation boundaries. This pattern — extracting archives into web-accessible directories without file type verification — parallels the 2018 Drupalgeddon 2 vulnerability (CVE-2018-7600), which also abused a legitimate import feature to achieve RCE. Vtiger would benefit from two architectural changes: scanning all file contents at extraction against an allowlist of module signatures, and decoupling upload directories from the web root to a location that Apache cannot reach.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| JivaSecurity/VTIGER-CRM-RCE-CVE-2026-23698 Vtiger CRM 8.3.0, 8.4.0 Module Import Authenticated RCE PoC | ★ 0 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code th...
Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshel...
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint....
Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController...