Rapid7 Vulnerability & Exploit Database

SugarCRM unauthenticated Remote Code Execution (RCE)

Back to Search

SugarCRM unauthenticated Remote Code Execution (RCE)



This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration, the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and gaining access to the system. This vulnerability does not require authentication because there is a missing authentication check in the loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get destroyed and hence the attacker can continue to send valid requests to the application. Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain access to the underlying operating system as the user that the web services are running as (typically www-data).


  • Sw33t.0day
  • h00die-gr3y <h00die.gr3y@gmail.com>




cmd, php, x64, x86


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/sugarcrm_webshell_cve_2023_22952
msf exploit(sugarcrm_webshell_cve_2023_22952) > show targets
msf exploit(sugarcrm_webshell_cve_2023_22952) > set TARGET < target-id >
msf exploit(sugarcrm_webshell_cve_2023_22952) > show options
    ...show and set options...
msf exploit(sugarcrm_webshell_cve_2023_22952) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security