CVE-2021-42840

HIGH

SuiteCRM < 7.11.19 - Remote Code Execution via Log File Name Setting

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-42840. PoCs published by M. Cory Billington, including Metasploit module exploits/linux/http/suitecrm_log_file_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-42840 in SuiteCRM by manipulating log file extensions to achieve remote code execution. It leverages improper input validation to treat a log file as a PHP file, then injects malicious PHP code via user profile updates.

Description

SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.

Exploits (2)

exploitdb WORKING POC VERIFIED

by M. Cory Billington · rubywebappsphp

https://www.exploit-db.com/exploits/50531

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-42840 in SuiteCRM by manipulating log file extensions to achieve remote code execution. It leverages improper input validation to treat a log file as a PHP file, then injects malicious PHP code via user profile updates.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SuiteCRM versions <= 7.11.18

Auth required

Prerequisites: Valid SuiteCRM credentials with administrative rights · Access to the SuiteCRM web interface

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by M. Cory Billington · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-42840 in SuiteCRM by manipulating the log file extension parameter to treat the log file as a PHP file, then injecting PHP code via the username field to achieve remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SuiteCRM versions <= 7.11.18

Auth required

Prerequisites: Valid SuiteCRM credentials with administrative rights · Access to the SuiteCRM web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (5)

Core 5

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://docs.suitecrm.com/admin/releases/7.11.x/#_7_11_19

Third Party Advisory x_refsource_misc

https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/linux/http/suitecrm_log_file_rce.rb

Release Notes, Vendor Advisory x_refsource_misc

https://suitecrm.com/time-to-upgrade-suitecrm-7-11-19-7-10-30-lts-released/

Exploit, Third Party Advisory x_refsource_misc

https://theyhack.me/SuiteCRM-RCE-2/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165001/SuiteCRM-7.11.18-Remote-Code-Execution.html

Scores

CVSS v3 8.8

EPSS 0.4911

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

salesagility/suitecrm < 7.11.19

Published Oct 22, 2021

Tracked Since Feb 18, 2026