CVE-2023-22952

HIGH KEV NUCLEI

SugarCRM unauthenticated Remote Code Execution (RCE)

Title source: metasploit

Exploitation Summary

CVE-2023-22952 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 2, 2023. EIP tracks 1 public exploit from researchers including Sw33t.0day, including a Metasploit module exploits/multi/http/sugarcrm_webshell_cve_2023_22952. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2023-22952, an unauthenticated RCE vulnerability in SugarCRM. It uploads a malicious PNG file with embedded PHP code to the server via a vulnerable endpoint, then executes arbitrary commands through the uploaded webshell.

Description

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

Exploits (1)

metasploit WORKING POC GOOD

by Sw33t.0day · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/sugarcrm_webshell_cve_2023_22952.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-22952, an unauthenticated RCE vulnerability in SugarCRM. It uploads a malicious PNG file with embedded PHP code to the server via a vulnerable endpoint, then executes arbitrary commands through the uploaded webshell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SugarCRM 11.0 (Enterprise, Professional, Sell, Serve, Ultimate) < 11.0.5 and 12.0 (Enterprise, Sell, Serve) < 12.0.2

No auth needed

Prerequisites: Network access to the SugarCRM instance · Vulnerable endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SugarCRM Unauthenticated - Remote Code Execution

HIGHby iamnoooob,rootxharsh,pdresearch

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html

Vendor Advisory

https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22952

Scores

CVSS v3 8.8

EPSS 0.8027

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-02-02

VulnCheck KEV 2023-01-04

InTheWild.io 2023-01-11

ENISA EUVD EUVD-2023-27053

CWE

CWE-94 CWE-20

Status published

Products (1)

sugarcrm/sugarcrm 11.0.0 - 11.0.5

Published Jan 11, 2023

KEV Added Feb 02, 2023

Tracked Since Feb 18, 2026