CVE-2026-23698

HIGH

Vtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-23698. PoCs published by JivaSecurity.

AI-analyzed exploit summary This PoC exploits an authenticated remote code execution (RCE) vulnerability in Vtiger CRM 8.x via two methods: module import (unrestricted file upload in ZIP extraction) and PHAR upload (misconfigured storage directory listing). The exploit achieves unauthenticated command execution after initial admin credentials are used.

Description

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents directly into the modules/ directory under the web root without validating file types beyond the manifest.xml descriptor. Attackers can place executable PHP files in the modules/ directory that become directly accessible via HTTP, bypassing Vtiger's authentication and authorization layer entirely since Apache resolves the path and invokes the PHP interpreter before the application routing layer is involved, resulting in a persistent web shell independent of the originating session.

Exploits (1)

github WORKING POC
by JivaSecurity · pythonpoc
https://github.com/JivaSecurity/VTIGER-CRM-RCE-CVE-2026-23698

This PoC exploits an authenticated remote code execution (RCE) vulnerability in Vtiger CRM 8.x via two methods: module import (unrestricted file upload in ZIP extraction) and PHAR upload (misconfigured storage directory listing). The exploit achieves unauthenticated command execution after initial admin credentials are used.

Classification
Working Poc 98%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Vtiger CRM 8.3.0, 8.4.0
Auth required
Prerequisites: Valid admin credentials · Target must be running Vtiger CRM 8.x · For PHAR mode: 'phar' not in upload blocklist and Apache 2.4 with misconfigured .htaccess
mistral-large-3 · analyzed Jul 07, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit technical-description exploit
Researcher Disclosure
https://jivasecurity.com/writeups/vtiger-rce-module-import-cve-2026-23698
Product product
Project Homepage
https://www.vtiger.com/

Scores

CVSS v3 7.2
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
Vtiger/Vtiger CRM < 8.4.0
Published Jul 07, 2026
Tracked Since Jul 07, 2026