High (8.6)

Vtiger CRM lets admins upload webshells (CVE-2026-23698) [PoC]

CVE-2026-23698

CVE-2026-23698: High-severity RCE in Vtiger CRM <=8.4.0. Authenticated admin can upload a PHP web shell via the import feature. Apply vendor patch or remove write access to modules/.

Exploitation confirmed - public proof-of-concept - CVE-2026-23698 is a high-severity authenticated remote code execution vulnerability in Vtiger CRM through version 8.4.0 that allows administrator-level attackers to upload a persistent PHP web shell to the web root. No vendor patch is available yet; apply the mitigations below.

Overview

CVE-2026-23698 resides in the Vtiger CRM ModuleManager import function. An administrator with valid credentials can upload a crafted ZIP archive containing arbitrary PHP files. The application extracts the archive directly into the modules/ directory under the web root and only validates the manifest.xml descriptor. It does not check whether the extracted files are legitimate PHP modules.

Once extracted, the attacker implants a PHP web shell at a predictable URL under the modules/ path. Apache resolves the path and invokes the PHP interpreter before Vtiger’s authentication or authorization layer has a chance to intervene. This gives the attacker persistent, session-independent access to the server.

Impact

An authenticated administrator can:

  • Upload and execute arbitrary PHP code on the Vtiger server.
  • Maintain persistence through a web shell that survives session timeouts and password changes.
  • Use the foothold to pivot to internal systems, escalate privileges, or exfiltrate the CRM database.

The CVSS score is 8.6 (HIGH), reflecting the network accessibility, low attack complexity, and no user interaction required beyond the initial admin login.

Affected Versions

Vtiger CRM through version 8.4.0.

CISA has not confirmed active exploitation of CVE-2026-23698; it is not listed in the Known Exploited Vulnerabilities catalog.

Remediation and Mitigations

No vendor patch exists as of this writing. Apply the following mitigations in order of priority:

  1. Restrict module upload functionality: Temporarily disable the ModuleManager import for all accounts until a patch is released.
  2. File system hardening: Remove PHP execution permissions from the modules/ directory via a .htaccess file or Apache configuration:
    <Directory /path/to/vtiger/modules>
        php_flag engine off
    </Directory>
  3. Monitor file changes: Deploy file integrity monitoring on the modules/ directory for unexpected PHP files.
  4. Audit admin accounts: Review the list of administrator accounts for any that should not have module upload privileges.

Security Insight

CVE-2026-23698 is a textbook example of a vulnerability that arises when a trusted feature (module import) lacks the proper input validation boundaries. This pattern — extracting archives into web-accessible directories without file type verification — parallels the 2018 Drupalgeddon 2 vulnerability (CVE-2018-7600), which also abused a legitimate import feature to achieve RCE. Vtiger would benefit from two architectural changes: scanning all file contents at extraction against an allowlist of module signatures, and decoupling upload directories from the web root to a location that Apache cannot reach.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
JivaSecurity/VTIGER-CRM-RCE-CVE-2026-23698

Vtiger CRM 8.3.0, 8.4.0 Module Import Authenticated RCE PoC

★ 0

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.