cbcvebase.
CVE-2020-28328
published 2020-11-06

CVE-2020-28328: SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account…

PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
64.09%
99.1th percentile
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.

Affected

2 ranges
VendorProductVersion rangeFixed in
salesagilitysuitecrm< 7.11.197.11.19
salesagilitysuitecrm< 7.11.177.11.17

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1/index.php
filenameshell-[a-z]{6}.php
path/index.php?module=Configurator&action=EditView
commandmodule=Users&action=Authenticate&return_module=Users&return_action=Login
commandmodule=Users&record=1&action=Save&page=EditView&return_action=DetailView&last_name=<php_payload>
path/<shell-[a-z]{6}.php>
  • Detect POST to index.php with module=Users, action=Save, and a last_name field containing PHP tags (e.g. <?php) — this is the log-poisoning step that injects PHP code into the malicious log file.
  • Detect GET requests to web-root PHP files matching the pattern shell-[a-z]{6}.php — this is the RCE trigger step where the attacker fetches the poisoned log file for execution.
  • The bypass relies on supplying a blank logger_file_ext while embedding the .php extension inside logger_file_name — alert on any Configurator SaveConfig request where logger_file_ext is empty.
  • CVE-2021-42840 (incomplete fix) also allows mixed-case PHP extensions (e.g. .PHP, .Php) in logger_file_name — extend detection to case-insensitive matching of PHP file extensions in Configurator SaveConfig requests.
  • Monitor for the presence of newly created PHP files in the SuiteCRM web root whose names match shell-[a-z]{6}.php — these are attacker-dropped webshells created via log file redirection.
  • The Metasploit module targets this same vulnerability via the linux/http/suitecrm_log_file_rce path — hunt for this module reference in network/proxy logs or IDS signatures.
  • ·The exploit requires an authenticated administrator session — the attacker must first obtain valid admin credentials before exploiting the log file RCE.
  • ·The logger_level must be set to 'info' (not 'fatal') for the PHP payload in last_name to be written into the log file — detection rules should account for this transient configuration state.
  • ·The CVE-2021-42840 incomplete-fix variant works on SuiteCRM before 7.11.19 and uses mixed-case PHP extensions rather than a blank extension — the same Metasploit module covers both variants.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.