CVE-2014-2268

vtiger CRM < Security Patch 2 - Unauthenticated Remote Code Execution via Install Module Re-Installation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-2268. PoCs published by Metasploit, including Metasploit module exploits/multi/http/vtiger_install_rce.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated remote command execution vulnerability in Vtiger CRM by injecting PHP payloads into the database configuration during the installation process. It leverages the 'Step5' and 'Step7' modes to execute arbitrary commands.

Description

views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/32794

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated remote command execution vulnerability in Vtiger CRM by injecting PHP payloads into the database configuration during the installation process. It leverages the 'Step5' and 'Step7' modes to execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Vtiger CRM 6.0.0 or older

No auth needed

Prerequisites: Target must have Vtiger CRM 6.0.0 or older installed · Installation script must be accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vtiger_install_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated remote command execution vulnerability in Vtiger CRM's install script by injecting PHP code into the database configuration step. The exploit triggers payload execution via a crafted GET request, leveraging the application's installation process to achieve RCE.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Vtiger CRM 6.0.0 or older

No auth needed

Prerequisites: Vtiger CRM installation accessible · Install module enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/66757

Exploit, Third Party Advisory x_refsource_misc

https://www.navixia.com/blog/entry/navixia-find-critical-vulnerabilities-in-vtiger-crm-cve-2014-2268-cve-2014-2269.html

Vendor Advisory mailing-list x_refsource_mlist

http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-IMP-forgot-password-and-re-installation-security-fix-tt9786.html

Exploit, Third Party Advisory exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/32794

Scores

EPSS 0.3121

EPSS Percentile 98.0%

Details

CWE

CWE-264

Status published

Products (22)

vtiger/vtiger_crm 1.0

vtiger/vtiger_crm 2.0

vtiger/vtiger_crm 2.0.1

vtiger/vtiger_crm 2.1

vtiger/vtiger_crm 3.0 (2 CPE variants)

vtiger/vtiger_crm 3.2

vtiger/vtiger_crm 4 (3 CPE variants)

vtiger/vtiger_crm 4.0

vtiger/vtiger_crm 4.0.1

vtiger/vtiger_crm 4.2

... and 12 more

Published Nov 16, 2014

Tracked Since Feb 18, 2026