CVE-2025-67887
Awaiting Analysis Awaiting Analysis - Queue
Remote Code Execution in 1C-Bitrix

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: MITRE

Description
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2025-67887
EUVD
EUVD-2025-209735
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1c-bitrix 1c-bitrix to 25.100.500 (inc)
1c-bitrix 1c-bitrix to 25.100.500 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-67887 is a remote code execution vulnerability in the 1C-Bitrix content management system, specifically in the Translate Module up to version 25.100.500.

An attacker who has SOURCE/WRITE permissions for the Translate Module can upload a malicious archive containing a PHP file and a .htaccess file. This archive is then extracted on the server, allowing the attacker to execute arbitrary PHP code remotely.

This exploit enables the attacker to gain control over the affected system by running commands through a web shell that is uploaded and activated via the vulnerability.

The supplier disputes this as a vulnerability, claiming it is intended behavior for users with high privileges who can upload new translated pages.

Impact Analysis

If exploited, this vulnerability allows an attacker with certain permissions to execute arbitrary code on your server remotely.

This can lead to full system compromise, including unauthorized access, data theft, modification or deletion of files, and disruption of website functionality.

Since the attacker can upload and run a web shell, they can maintain persistent access and perform further malicious activities.

Detection Guidance

Detection of this vulnerability involves verifying if an attacker can upload and execute PHP files via the Translate Module by exploiting SOURCE/WRITE permissions.

One practical approach is to monitor for unusual file uploads, especially archives containing PHP files and .htaccess files, in the Translate Module directories.

Additionally, using the Bitrix administrative PHP command line tool (/bitrix/admin/php_command_line.php) can help execute PHP code snippets to check for unauthorized file upload or execution capabilities.

While no direct detection commands are provided, the exploit script described in Resource 1 uses cURL commands to log in, retrieve CSRF tokens, upload malicious archives, and execute commands remotely, which can be adapted for detection by attempting safe test uploads or monitoring such activities.

Mitigation Strategies

Immediate mitigation steps include restricting SOURCE/WRITE permissions for the Translate Module to only fully trusted users, as the vulnerability requires such permissions to exploit.

Monitor and control file uploads to the Translate Module, especially preventing uploads of archives containing PHP and .htaccess files.

Since no official patch is currently available, consider disabling or limiting the Translate Module functionality if possible until a fix is released.

Regularly audit user permissions and review logs for suspicious activities related to file uploads and execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart