CVE-2025-67886
Remote Code Execution in Bitrix24
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitrix | bitrix24 | to 25.100.300 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67886 is a vulnerability in Bitrix24 versions 25.100.300 and earlier, specifically in the Translate Module.
Authenticated users who have SOURCE and WRITE permissions can exploit this flaw by uploading a malicious archive containing a PHP file and a specially crafted .htaccess file.
The application does not properly validate the contents of the uploaded archive, which allows these files to be extracted into a temporary directory and enables the execution of arbitrary PHP code.
This effectively allows remote code execution (RCE) by users with certain high-level permissions.
The supplier disputes this as a vulnerability, stating that this behavior is intended for users with high privileges who can upload new translated pages to the website.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with SOURCE and WRITE permissions to execute arbitrary PHP code on the server hosting Bitrix24.
This can lead to full remote code execution, potentially allowing the attacker to take control of the server, access sensitive data, modify or delete files, and disrupt services.
Since the exploit requires authenticated access with specific permissions, the risk is higher if those permissions are granted to untrusted or compromised users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized uploads of PHP files and .htaccess files within the Translate Module of Bitrix24. Since the exploit involves uploading a malicious archive containing these files, checking for unusual file uploads or extraction activities in the temporary directories used by the application is key.
Commands to detect suspicious files or activities might include searching for recently created or modified PHP and .htaccess files in the web server directories, for example:
- find /path/to/bitrix24/ -type f \( -name '*.php' -o -name '.htaccess' \) -mtime -7
- grep -r 'eval\|base64_decode\|shell_exec' /path/to/bitrix24/
Additionally, monitoring web server logs for unusual POST requests to the Translate Module endpoints or uploads of archive files (e.g., .tar.gz) could help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting SOURCE and WRITE permissions for the Translate Module to only fully trusted users, as the vulnerability requires these permissions to exploit.
Since no official patch is currently available, consider implementing strict access controls and monitoring for suspicious file uploads.
Disabling or limiting the ability to upload archives containing executable PHP files and .htaccess files can reduce the risk.
Additionally, applying web application firewall (WAF) rules to block suspicious upload patterns and monitoring logs for exploitation attempts are recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2025-67886 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.