CVE-2019-5009

HIGH

vtiger CRM < 7.1.0 - Unauthenticated Remote Code Execution via PHP3 Logo Upload Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-5009. PoCs published by AkkuS.

AI-analyzed exploit summary This exploit leverages a file upload vulnerability in Vtiger CRM 7.1.0, allowing an authenticated attacker to upload a malicious PHP file disguised as a PNG image with a .php3 extension, leading to remote code execution.

Description

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "<? ?>" tags, as demonstrated by a CompanyDetailsSave action. This bypasses the bad-file-extensions protection mechanism. It is related to actions/CompanyDetailsSave.php, actions/UpdateCompanyLogo.php, and models/CompanyDetails.php.

Exploits (1)

exploitdb WORKING POC

by AkkuS · pythonwebappsphp

https://www.exploit-db.com/exploits/46065

View Code ZIP pw:eip

This exploit leverages a file upload vulnerability in Vtiger CRM 7.1.0, allowing an authenticated attacker to upload a malicious PHP file disguised as a PNG image with a .php3 extension, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Vtiger CRM 7.1.0

Auth required

Prerequisites: Valid administrator credentials · Network access to the target application

MITRE ATT&CK

T1133 - External Remote Services T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Mailing List, Patch, Vendor Advisory x_refsource_misc

http://lists.vtigercrm.com/pipermail/vtigercrm-developers/2019-January/037852.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46065

Patch, Vendor Advisory x_refsource_misc

http://code.vtiger.com/vtiger/vtigercrm/commit/52fc2fb520ddc55949c2fbedaabd61ddd0109375

Exploit, Third Party Advisory x_refsource_misc

https://pentest.com.tr/exploits/Vtiger-CRM-7-1-0-Remote-Code-Execution.html

Scores

CVSS v3 7.2

EPSS 0.0994

EPSS Percentile 95.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

vtiger/vtiger_crm 7.1.0 hotfix1

vtiger/vtiger_crm < 7.1.0

Published Jan 04, 2019

Tracked Since Feb 18, 2026