cbcvebase.
CVE-2023-22952
published 2023-01-11

CVE-2023-22952: In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

PriorityP193high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-02-23
Exploited in the wild
EPSS
80.27%
99.6th percentile
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.

Affected

2 ranges
VendorProductVersion rangeFixed in
sugarcrmsugarcrm>= 11.0.0 < 11.0.511.0.5
sugarcrmsugarcrm>= 12.0.0 < 12.0.212.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?module=EmailTemplates&action=AttachFiles
path/cache/images/
pathinclude/MVC/SugarApplication.php
cookiePHPSESSID=<uuid-format>
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|module|22 0d 0a 0d 0a|emailtemplates|0d 0a|"; nocase; fast_pattern; content:"|0d 0a|content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|action|22 0d 0a 0d 0a|attachfiles|0d 0a|"; nocase; content:"|89 50 4e 47 0d 0a 1a 0a|"; distance:0; content:"<?php"; distance:0; reference:url,packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html; reference:url,sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload; classtype:attempted-user; sid:2043273; rev:3; metadata:affected_product SugarCRM, attack_target Server, created_at 2023_01_11, cve CVE_2025_22952, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|89 50 4e 47 0d 0a 1a 0a|
  • The exploit uploads a PNG file with embedded PHP code to /cache/images/. Detect POST requests to /index.php with multipart body containing both 'EmailTemplates' as module and 'AttachFiles' as action, followed by a PNG magic bytes header immediately preceding PHP code.
  • Authentication bypass: after a failed login attempt, the session is NOT destroyed. Monitor for sequences where a 'You must specify a valid username and password' response is followed by successful privileged API calls in the same session.
  • Post-exploitation: detect use of Pacu (AWS exploitation framework) and Scout Suite via their distinctive user agents in CloudTrail logs. Both tools were used for post-compromise AWS account enumeration.
  • Shodan/FOFA fingerprinting queries can identify exposed SugarCRM instances: search for http.html containing 'sugarcrm inc. all rights reserved', http.title 'sugar setup wizard', or http.title 'sugarcrm'.
  • Monitor for RDS snapshot creation followed by security group rule modifications adding port 3306 inbound, then creation of new public RDS instances — this is the post-exploitation data exfiltration pattern observed in the wild.
  • Look for long-term AWS access key files (credentials file) on EC2 instances hosting SugarCRM. Compromise of these keys is the primary lateral movement vector from SugarCRM RCE to AWS account takeover.
  • ·The vulnerability is exploitable WITHOUT authentication due to a missing auth check in loadUser(). The failed-login session reuse trick means standard authentication logging alone is insufficient to detect exploitation.
  • ·Uploaded webshells land in /cache/images/ and are directly web-accessible. If the server is configured to execute PHP in that directory, RCE is trivially achieved via a GET request to the uploaded file.
  • ·Long-term AWS access keys stored in plaintext on EC2 instances hosting SugarCRM dramatically amplify the blast radius. Credential files on the host are the primary pivot point from web RCE to full AWS account compromise.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.