CVE-2026-32985: Php RCE — Critical — Patch Now

Patch now - CVE-2026-32985 is a critical unauthenticated remote code execution (RCE) in Xerte Online Toolkits 3.14 and earlier that grants attackers complete server compromise via a malicious ZIP file upload. Upgrade to a version later than 3.14 immediately.

Overview

A critical security vulnerability has been discovered in Xerte Online Toolkits, an open-source tool for creating interactive learning content. This flaw, tracked as CVE-2026-32985, allows an unauthenticated attacker to upload malicious files and execute arbitrary code on the server. All versions 3.14 and earlier are affected.

Vulnerability Details

The vulnerability exists in the template import feature. The system fails to verify if a user is logged in before processing a template upload. An attacker can exploit this by sending a specially crafted ZIP file that mimics a project template. This archive can contain a PHP file hidden within its structure.

When the server processes this malicious ZIP, it extracts the contents, including the PHP file, into a publicly accessible directory on the web server. Because there are no authentication checks, anyone can trigger this upload and then directly access the uploaded file via a web browser, causing the malicious code to run.

Impact

The impact of this vulnerability is severe. Successful exploitation gives an attacker the ability to execute any command or code on the server with the same permissions as the web server process. This can lead to:

• Complete compromise of the server hosting the Xerte application.
• Theft or destruction of sensitive data, including user information and project content.
• Use of the server as a foothold for further attacks within the network.
• Website defacement or deployment of malware.

For context on how such breaches can affect organizations, recent data breach reports are available at breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Action: Patch or Upgrade The most effective solution is to upgrade Xerte Online Toolkits to a version later than 3.14. The maintainers have released a fix that adds proper authentication checks to the vulnerable import function. Apply this update as soon as possible.

Temporary Mitigation If immediate upgrading is not feasible, consider these temporary measures:

1. Restrict Access: Use a web application firewall (WAF) to block requests to the vulnerable endpoint (/website_code/php/import/import.php).
2. File System Controls: If supported by your server, configure rules to prevent the execution of PHP files from within the USER-FILES/ directory tree.
3. Network Segmentation: Ensure the Xerte server is isolated from critical internal networks to limit potential lateral movement by an attacker.

All users should verify their systems are patched and monitor for any signs of suspicious activity. Staying informed on emerging threats is crucial; you can follow the latest developments at security news.