CVE-2025-67887
Remote Code Execution in 1C-Bitrix
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1c-bitrix | 1c-bitrix | to 25.100.500 (inc) |
| 1c-bitrix | 1c-bitrix | to 25.100.500 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-67887 is a remote code execution vulnerability in the 1C-Bitrix content management system, specifically in the Translate Module up to version 25.100.500.
An attacker who has SOURCE/WRITE permissions for the Translate Module can upload a malicious archive containing a PHP file and a .htaccess file. This archive is then extracted on the server, allowing the attacker to execute arbitrary PHP code remotely.
This exploit enables the attacker to gain control over the affected system by running commands through a web shell that is uploaded and activated via the vulnerability.
The supplier disputes this as a vulnerability, claiming it is intended behavior for users with high privileges who can upload new translated pages.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with certain permissions to execute arbitrary code on your server remotely.
This can lead to full system compromise, including unauthorized access, data theft, modification or deletion of files, and disruption of website functionality.
Since the attacker can upload and run a web shell, they can maintain persistent access and perform further malicious activities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if an attacker can upload and execute PHP files via the Translate Module by exploiting SOURCE/WRITE permissions.
One practical approach is to monitor for unusual file uploads, especially archives containing PHP files and .htaccess files, in the Translate Module directories.
Additionally, using the Bitrix administrative PHP command line tool (/bitrix/admin/php_command_line.php) can help execute PHP code snippets to check for unauthorized file upload or execution capabilities.
While no direct detection commands are provided, the exploit script described in Resource 1 uses cURL commands to log in, retrieve CSRF tokens, upload malicious archives, and execute commands remotely, which can be adapted for detection by attempting safe test uploads or monitoring such activities.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting SOURCE/WRITE permissions for the Translate Module to only fully trusted users, as the vulnerability requires such permissions to exploit.
Monitor and control file uploads to the Translate Module, especially preventing uploads of archives containing PHP and .htaccess files.
Since no official patch is currently available, consider disabling or limiting the Translate Module functionality if possible until a fix is released.
Regularly audit user permissions and review logs for suspicious activities related to file uploads and execution.