CVE-2013-3214

CRITICAL

vtiger CRM < 5.4.0 - PHP Code Injection via vtigerolservice.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2013-3214. PoCs published by Metasploit, shadofren, Egidio Romano, juan vazquez, including Metasploit module exploits/multi/http/vtiger_soap_upload.

AI-analyzed exploit summary This Metasploit module exploits an arbitrary file upload vulnerability in vTiger CRM via SOAP services, allowing unauthenticated attackers to upload and execute PHP code. It combines authentication bypass (CVE-2013-3214) with file upload (CVE-2013-3215) to achieve RCE.

Description

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/30787

This Metasploit module exploits an arbitrary file upload vulnerability in vTiger CRM via SOAP services, allowing unauthenticated attackers to upload and execute PHP code. It combines authentication bypass (CVE-2013-3214) with file upload (CVE-2013-3215) to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vTiger CRM v5.4.0
No auth needed
Prerequisites: Network access to the vTiger CRM SOAP endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by shadofren · poc
https://github.com/shadofren/CVE-2013-3214

This exploit leverages a file upload vulnerability in vTiger CRM 5.4.0 to achieve remote code execution by uploading a malicious PHP file via a SOAP request. The payload executes arbitrary commands via a web shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vTiger CRM 5.4.0
No auth needed
Prerequisites: Network access to the target vTiger CRM instance · SOAP endpoint exposed at /vtigerservice.php
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/27279

This is a detailed technical writeup describing multiple vulnerabilities in vtiger CRM, including local file inclusion (LFI) and SQL injection (SQLi) flaws. It provides code snippets, root cause analysis, and patch references.

Classification
Writeup 100%
Attack Type
Sqli | Lfi
Complexity
Moderate
Reliability
Reliable
Target: vtiger CRM <= 5.4.0
No auth needed
Prerequisites: PHP < 5.3.4 for LFI (null byte injection) · Valid session for some SQLi vectors
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Egidio Romano, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vtiger_soap_upload.rb

This Metasploit module exploits an authentication bypass and arbitrary file upload vulnerability in vTiger CRM via SOAP services. It uploads a PHP payload to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vTiger CRM v5.4.0
No auth needed
Prerequisites: Network access to the vTiger CRM SOAP service · vTiger CRM v5.4.0 or vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/30787
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/61558
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/86164

Scores

CVSS v3 9.8
EPSS 0.8812
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-74
Status published
Products (1)
vtiger/vtiger_crm < 5.4.0
Published Jan 28, 2020
Tracked Since Feb 18, 2026