CVE-2025-67886

MEDIUM

Bitrix24 through 25.100.300 - Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-67886. PoCs published by reewardius.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-67886, targeting a remote code execution vulnerability in Bitrix24's Translate Module. The exploit authenticates, uploads a malicious archive, extracts it, and executes a reverse shell.

Description

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

Exploits (1)

nomisec WORKING POC
by reewardius · poc
https://github.com/reewardius/CVE-2025-67886

This repository contains a functional exploit for CVE-2025-67886, targeting a remote code execution vulnerability in Bitrix24's Translate Module. The exploit authenticates, uploads a malicious archive, extracts it, and executes a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Bitrix24 <= 25.100.300
Auth required
Prerequisites: valid credentials · cURL extension
devstral-2 · analyzed May 22, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 6.3
EPSS 0.0103
EPSS Percentile 59.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-434
Status published
Published May 08, 2026
Tracked Since May 08, 2026