cbcvebase.
CVE-2021-42840
published 2021-10-22

CVE-2021-42840: SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
58.95%
99.0th percentile
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.

Affected

1 ranges
VendorProductVersion rangeFixed in
salesagilitysuitecrm< 7.11.197.11.19

Detection & IOCsextracted from sources · hover to see the quote

pathindex.php?module=Administration&action=index
pathindex.php?module=Configurator&action=EditView
  • Monitor for POST requests to index.php with module=Users, action=Save, where the last_name field contains PHP tags (<?php ... ?>) — this is the log-poisoning step that injects PHP code via the user profile.
  • Alert on GET/POST requests to any file under the SuiteCRM web root matching a mixed-case .pHp (or similar) extension — this is the execution step where the poisoned log file is triggered as PHP.
  • Look for the full exploit sequence: (1) admin login, (2) POST to Configurator SaveConfig with mixed-case logger_file_ext, (3) POST to Users Save with PHP payload in last_name, (4) GET request to the newly created mixed-case .pHp log file.
  • The exploit leaves artifacts on disk (the mixed-case .pHp log file under the web root) and IOCs in logs (PHP code injected via last_name field). Check for unexpected .pHp/.Php files in the SuiteCRM web root.
  • ·Exploit requires authenticated admin credentials — it is not unauthenticated RCE. Admin account takeover is a prerequisite.
  • ·This is an incomplete fix bypass of CVE-2020-28328; the original fix only blocked all-lowercase PHP extensions. Mixed-case variants (e.g. .pHp) were not blocked until 7.11.19.
  • ·The Metasploit module also covers older CVE-2020-28328 versions where a blank file extension could be supplied and the extension provided in the file name.
  • ·The RESTORECONF option (default: true) will attempt to restore logger_file_name to 'suitecrm' and logger_file_ext to '.log' after exploitation, potentially hiding forensic evidence of the config change.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.