Multiple SugarCRM Products Remote Code Execution Vulnerability
Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.
A remote attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2023-02-23 under CISA BOD 22-01.
This is a Improper Input Validation (CWE-20) vulnerability in SugarCRM Multiple Products. In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.html
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References