CVE-2026-23698
HIGHVtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-23698. PoCs published by JivaSecurity.
AI-analyzed exploit summary This PoC exploits an authenticated remote code execution (RCE) vulnerability in Vtiger CRM 8.x via two methods: module import (unrestricted file upload in ZIP extraction) and PHAR upload (misconfigured storage directory listing). The exploit achieves unauthenticated command execution after initial admin credentials are used.
Description
Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents directly into the modules/ directory under the web root without validating file types beyond the manifest.xml descriptor. Attackers can place executable PHP files in the modules/ directory that become directly accessible via HTTP, bypassing Vtiger's authentication and authorization layer entirely since Apache resolves the path and invokes the PHP interpreter before the application routing layer is involved, resulting in a persistent web shell independent of the originating session.
Exploits (1)
This PoC exploits an authenticated remote code execution (RCE) vulnerability in Vtiger CRM 8.x via two methods: module import (unrestricted file upload in ZIP extraction) and PHAR upload (misconfigured storage directory listing). The exploit achieves unauthenticated command execution after initial admin credentials are used.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H