CVE-2026-23698
Received Received - Intake

Authenticated Remote Code Execution in Vtiger CRM via Malicious Module Import

Vulnerability report for CVE-2026-23698, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents directly into the modules/ directory under the web root without validating file types beyond the manifest.xml descriptor. Attackers can place executable PHP files in the modules/ directory that become directly accessible via HTTP, bypassing Vtiger's authentication and authorization layer entirely since Apache resolves the path and invokes the PHP interpreter before the application routing layer is involved, resulting in a persistent web shell independent of the originating session.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vtiger crm to 8.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-23698 is a high-severity authenticated remote code execution vulnerability in Vtiger CRM version 8.4.0 and earlier. It exists in the admin module import feature, where an attacker with administrator privileges can upload a specially crafted ZIP archive containing malicious PHP files.

The system extracts the contents of this ZIP archive directly into the modules/ directory under the web root without properly validating the file types beyond the manifest.xml descriptor. This allows the attacker to place executable PHP files that become accessible via HTTP.

Because the Apache web server processes these PHP files before the application routing layer, the attacker can bypass Vtiger's authentication and authorization mechanisms, resulting in a persistent web shell that remains accessible independently of the original session.

Impact Analysis

This vulnerability allows an attacker with administrator access to execute arbitrary PHP code on the server hosting Vtiger CRM. This can lead to full system compromise, including unauthorized data access, data modification, and persistent backdoor access.

Since the malicious PHP files are accessible directly via HTTP and bypass authentication, the attacker can maintain persistent control over the system without needing to re-authenticate.

The impact includes potential data breaches, disruption of CRM services, and further exploitation of the underlying server and network.

Detection Guidance

This vulnerability can be detected by checking for the presence of unauthorized PHP files in the modules/ directory under the web root, as attackers upload malicious PHP files there via the module import feature.

You can use commands to search for suspicious PHP files in the modules directory, for example:

  • find /path/to/vtiger/modules/ -type f -name '*.php' -exec ls -l {} \;
  • grep -r '<?php' /path/to/vtiger/modules/ --include='*.php'

Additionally, monitoring HTTP access logs for unusual requests to PHP files in the modules/ directory can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting administrator access to trusted users only, as the vulnerability requires admin-level authentication.

Avoid using the module import feature until a patch or update is applied.

Manually inspect and remove any unauthorized PHP files found in the modules/ directory.

Apply any available security patches or upgrade to a version of Vtiger CRM that addresses this vulnerability once released.

Implement web server rules to block direct HTTP access to PHP files in the modules/ directory if possible.

Compliance Impact

CVE-2026-23698 allows an authenticated administrator to upload arbitrary PHP files that result in persistent remote code execution and a web shell accessible without authentication. This unauthorized access and control over the system can lead to data breaches, unauthorized data access, and potential manipulation or exfiltration of sensitive information.

Such a vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access. The ability for attackers to bypass authentication and maintain persistent access increases the risk of violating these regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart