CVE-2023-22952
published 2023-01-11CVE-2023-22952: In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
PriorityP193high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-02-23
Exploited in the wild
EPSS
80.27%
99.6th percentile
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sugarcrm | sugarcrm | >= 11.0.0 < 11.0.5 | 11.0.5 |
| sugarcrm | sugarcrm | >= 12.0.0 < 12.0.2 | 12.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
cookiePHPSESSID=<uuid-format>
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|module|22 0d 0a 0d 0a|emailtemplates|0d 0a|"; nocase; fast_pattern; content:"|0d 0a|content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|action|22 0d 0a 0d 0a|attachfiles|0d 0a|"; nocase; content:"|89 50 4e 47 0d 0a 1a 0a|"; distance:0; content:"<?php"; distance:0; reference:url,packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html; reference:url,sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload; classtype:attempted-user; sid:2043273; rev:3; metadata:affected_product SugarCRM, attack_target Server, created_at 2023_01_11, cve CVE_2025_22952, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)bytes
|89 50 4e 47 0d 0a 1a 0a|
- →The exploit uploads a PNG file with embedded PHP code to /cache/images/. Detect POST requests to /index.php with multipart body containing both 'EmailTemplates' as module and 'AttachFiles' as action, followed by a PNG magic bytes header immediately preceding PHP code. ↗
- →Authentication bypass: after a failed login attempt, the session is NOT destroyed. Monitor for sequences where a 'You must specify a valid username and password' response is followed by successful privileged API calls in the same session. ↗
- →Post-exploitation: detect use of Pacu (AWS exploitation framework) and Scout Suite via their distinctive user agents in CloudTrail logs. Both tools were used for post-compromise AWS account enumeration. ↗
- →Shodan/FOFA fingerprinting queries can identify exposed SugarCRM instances: search for http.html containing 'sugarcrm inc. all rights reserved', http.title 'sugar setup wizard', or http.title 'sugarcrm'.
- →Monitor for RDS snapshot creation followed by security group rule modifications adding port 3306 inbound, then creation of new public RDS instances — this is the post-exploitation data exfiltration pattern observed in the wild. ↗
- →Look for long-term AWS access key files (credentials file) on EC2 instances hosting SugarCRM. Compromise of these keys is the primary lateral movement vector from SugarCRM RCE to AWS account takeover. ↗
- ·The vulnerability is exploitable WITHOUT authentication due to a missing auth check in loadUser(). The failed-login session reuse trick means standard authentication logging alone is insufficient to detect exploitation. ↗
- ·Uploaded webshells land in /cache/images/ and are directly web-accessible. If the server is configured to execute PHP in that directory, RCE is trivially achieved via a GET request to the uploaded file. ↗
- ·Long-term AWS access keys stored in plaintext on EC2 instances hosting SugarCRM dramatically amplify the blast radius. Credential files on the host are the primary pivot point from web RCE to full AWS account compromise. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g9w6-c3gx-pmr3: In SugarCRM before 12
ghsa_unreviewed·2023-01-11
CVE-2023-22952 [HIGH] CWE-20 GHSA-g9w6-c3gx-pmr3: In SugarCRM before 12
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
VulnCheck
Multiple SugarCRM Products Remote Code Execution Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-22952 [HIGH] CWE-20 Multiple SugarCRM Products Remote Code Execution Vulnerability
Multiple SugarCRM Products Remote Code Execution Vulnerability
Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.
Affected: SugarCRM Multiple Products
Required Action: Apply updates per vendor instructions.
Exploitation References: https://infosec.exchange/@ll/109630615353251077; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-2023-22952; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01
CISA
Multiple SugarCRM Products Remote Code Execution Vulnerability
cisa·2023-02-02·CVSS 8.8
CVE-2023-22952 [HIGH] CWE-20 Multiple SugarCRM Products Remote Code Execution Vulnerability
Vulnerability: Multiple SugarCRM Products Remote Code Execution Vulnerability
Affected: SugarCRM Multiple Products
Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates.
Required Action: Apply updates per vendor instructions.
Notes: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/; https://nvd.nist.gov/vuln/detail/CVE-2023-22952
Remediation Due Date: 2023-02-23
Suricata
ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)
suricata·2023-01-11·CVSS 8.8
CVE-2023-22952 [HIGH] ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)
ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM PHP Shell Upload Attempt (CVE-2023-22952)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|module|22 0d 0a 0d 0a|emailtemplates|0d 0a|"; nocase; fast_pattern; content:"|0d 0a|content|2d|disposition|3a 20|form|2d|data|3b 20|name|3d 22|action|22 0d 0a 0d 0a|attachfiles|0d 0a|"; nocase; content:"|89 50 4e 47 0d 0a 1a 0a|"; distance:0; content:"<?php"; distance:0; reference:url,packets
Nuclei
SugarCRM Unauthenticated - Remote Code Execution
nuclei·CVSS 8.8
CVE-2023-22952 [HIGH] SugarCRM Unauthenticated - Remote Code Execution
SugarCRM Unauthenticated - Remote Code Execution
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
Template:
id: CVE-2023-22952
info:
name: SugarCRM Unauthenticated - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
impact: |
Authenticated attackers can inject custom PHP code through EmailTemplates to execute arbitrary commands on the SugarCRM server, potentially compromising customer relationship data and business intelligence information.
remediation: |
Update SugarCRM to version 12.0 Hotfix 91155 or
Metasploit
SugarCRM unauthenticated Remote Code Execution (RCE)
metasploit·CVSS 8.8
CVE-2023-22952 [HIGH] SugarCRM unauthenticated Remote Code Execution (RCE)
SugarCRM unauthenticated Remote Code Execution (RCE)
This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise, Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and Serve versions prior to 12.0.2. The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration, the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and gaining access to the system. This vulnerability does not require a
Sentinelone
Prioritizing CVEs in the Cloud
blogs_sentinelone·2025-05-15
Prioritizing CVEs in the Cloud
## Foreword & Guest Bio
As part of this ongoing series, SentinelOne is excited to present a series of guest blogs from cloud security experts covering their views on cloud security best practices. Following on from blogs from Teri Radichel who focused on what AWS security gotchas to avoid and how to address the risk of faulty logic. We now have Rami McCarthy providing his view on cloud CVEs, and approach to vulnerability prioritization.
Rami is a self-proclaimed “security wonk”. Most recently, he helped build the Infrastructure Security program at Figma. Before that, he worked as a security consultant and helped scale security for a health-tech unicorn. He writes extensively about security over at ramimac.me and elsewhere.
## Introduction
Common Vulnerabilities and Exposures (CVEs) are
Sentinelone
Prioritizing CVEs in the Cloud
blogs_sentinelone·2025-05-15
Prioritizing CVEs in the Cloud
## Foreword & Guest Bio
As part of this ongoing series, SentinelOne is excited to present a series of guest blogs from cloud security experts covering their views on cloud security best practices. Following on from blogs from Teri Radichel who focused on what AWS security gotchas to avoid and how to address the risk of faulty logic. We now have Rami McCarthy providing his view on cloud CVEs, and approach to vulnerability prioritization.
Rami is a self-proclaimed “security wonk”. Most recently, he helped build the Infrastructure Security program at Figma. Before that, he worked as a security consultant and helped scale security for a health-tech unicorn. He writes extensively about security over at ramimac.me and elsewhere.
## Introduction
Common Vulnerabilities and Exposures (CVEs) are
Qualys
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
blogs_qualys·2023-12-19
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
## Table of Contents
2023 Statistics
2023 Vulnerability Threat Landscape
Top Vulnerability Types
Key Insights
Top MITRE ATT&CK Tactics & Techniques
Most Active Threats
Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
97 high-risk vulnerabilities, like
Qualys
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
blogs_qualys·2023-12-19
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
#### Table of Contents
- 2023 Statistics
- 2023 Vulnerability Threat Landscape
- Top Vulnerability Types
- Key Insights
- Top MITRE ATT&CK Tactics & Techniques
- Most Active Threats
- Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
- Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerab
Qualys
Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
#### Table of Contents
- 7 Key Insights by the Qualys Threat Research Unit
- A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
- Optimizing Risk Management with Qualys VMDR TruRiskDashboard
- Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
- Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights
Qualys
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
## Table of Contents
7 Key Insights by the Qualys Threat Research Unit
A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
Optimizing Risk Management with Qualys VMDR TruRiskDashboard
Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights by the
Unit42
When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
blogs_unit42·2023-08-10·CVSS 8.8
CVE-2023-22952 [HIGH] When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
## Executive Summary
While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact. When a threat actor understands the underlying technology used by cloud service providers, they can accomplish a great deal if they can gain access to credentials that have the right permissions.
During the past year, Unit 42 responded to multiple cases where the SugarCRM vulnerability CVE-2023-22952 was an initial attack vector that allowed threat actors to gain access to AWS accounts. This was not due to a vulnerability
Unit42
When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
blogs_unit42·2023-08-10·CVSS 8.8
CVE-2023-22952 [HIGH] When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Margaret Kelley
Published: August 10, 2023
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Black Hat
CVE-2023-22952
SugarCRM
Zero-day
## Executive Summary
While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact. When a threat actor understands the underlying technology used by cloud service provide
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.htmlhttps://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/http://packetstormsecurity.com/files/171320/SugarCRM-12.x-Remote-Code-Execution-Shell-Upload.htmlhttps://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22952
2023-01-11
Published
2023-02-02
Added to CISA KEV
Exploited in the wild