cbcvebase.
CVE-2012-0694
published 2019-10-29

CVE-2012-0694: SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.26%
99.2th percentile
SugarCRM CE <= 6.3.1 contains scripts that use "unserialize()" with user controlled input which allows remote attackers to execute arbitrary PHP code.

Affected

1 ranges
VendorProductVersion rangeFixed in
sugarcrmsugarcrm<= 6.3.1

Detection & IOCsextracted from sources · hover to see the quote

pathinclude/MVC/View/views/view.list.php
pathpathCache.php
pathinclude/generic/Save2.php
pathinclude/MVC/Controller/SugarController.php
pathmodules/Import/Importer.php
pathmodules/ProjectTask/views/view.list.php
othercurrent_query_by_page
commandGET {path}pathCache.php HTTP/1.0 Cmd: <base64-encoded-command>
  • Alert on HTTP requests to 'pathCache.php' at the SugarCRM web root, especially those carrying a 'Cmd' HTTP header with a base64-encoded value — this is the webshell execution step.
  • Monitor for creation of 'pathCache.php' in the SugarCRM web root directory; this file is written by the exploit as a PHP webshell via the SugarTheme __destruct() method.
  • Inspect POST bodies to SugarCRM's index.php for the 'firstrow' parameter containing base64-encoded serialized data, targeting the Import module's unserialize() sink.
  • Look for authentication attempts followed immediately by a POST to index.php with module=Contacts and a large base64 blob in current_query_by_page — this two-step pattern is characteristic of the exploit chain.
  • ·Exploitation requires valid credentials — the attacker must authenticate before triggering the unserialize() vulnerability. Detection should account for the authenticated context.
  • ·Multiple vulnerable unserialize() sinks exist across different files and parameters (current_query_by_page, firstrow); detection rules must cover all sinks, not just view.list.php.
  • ·The Metasploit module attempts to clean up the dropped webshell (pathCache.php) after session establishment via Meterpreter; forensic artifact may be short-lived.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.