CVE-2025-45753 - Authenticated Remote Code Execution vulnerability in Vtiger Open Source Edition - v8.3.0

Description: Authenticated RCE in Vtiger Open Source Edition

Version affected: Vtiger Open Source Edition <= v8.3.0

System: https://www.vtiger.com/open-source-crm/

Solution: Disable ModuleImport feature. See article

Researcher: Simon Njuguna

PoC: https://github.com/cyspa/CVEs/blob/main/CVE-2025-45753

Description:

• The "Module Import" feature allows privileged authenticated users to upload ZIP files containing module files.
• The system fails to properly validate uploaded ZIP contents, allowing an attacker to include a malicious PHP file.
• Once uploaded, the attacker can directly access and execute the PHP file, achieving remote code execution (RCE) on the server.

Impact:

Potential full server takeover

Steps to reproduce the vulnerability

On the attacker machine, start netcat: nc -lnvp 4444

Create the module zip file for vtiger.

The vtiger module zip files contains a manifest.xml file and a php file named List.php.

In the manifest.xml file, specify the module name, label and parent

<type>extension</type><name>RCEModule</name><label>RCEModule</label><parent>Tools</parent>

Insert a php reverse shell payload in List.php

In vtiger, navigate to Module Management > Modules >Import Module from Zip

Select the zip file and click import, then click 'Import Now'.

Once successfully installed, navigate to TOOLS and click the RCEModule

Netcat will receive the reverse connection