Vtenext’s CRM solution, widely used by small and medium-sized Italian enterprises, suffers from multiple critical flaws in version 25.02 and earlier.
Three distinct unauthenticated vectors enable attackers to bypass authentication and ultimately achieve remote code execution (RCE) on the target server.
Although version 25.02.1 silently patched the most severe vector, the remaining issues still put countless deployments at risk. Administrators are strongly urged to update immediately to mitigate exposure.
Attack Vectors Overview
The chained vulnerabilities in Vtenext 25.02 can be grouped into three authentication-bypass vectors.
Each requires progressively less user interaction:
| Vector # | Primary Flaw | Secondary Flaws | User Interaction Required | Authentication Gain |
|---|---|---|---|---|
| 1 | Reflected XSS via POST (improper sanitization) | CSRF bypass (HTTP method tampering), session leak | Yes | Arbitrary user session hijack |
| 2 | Reflected XSS via POST | CSRF bypass, SQL injection | Yes | Extraction of password reset token |
| 3 | Arbitrary password reset (missing token validation) | N/A | No | Full account takeover (including admin) |
Vector 1: Multi-Stage XSS Chain
The first vector exploits a reflected XSS in HomeWidgetBlockList.php, where widget IDs from unsanitized JSON are returned with a text/html content-type.
Attackers inject JavaScript payloads to exfiltrate the victim’s session cookie, bypassing the HttpOnly flag through an information-disclosure flaw in the Touch module.
By switching from POST to GET, they circumvent CSRF token checks entirely. This sequence enables session hijacking and full authentication bypass with minimal effort.
Vector 2: SQL Injection Escalation
Similar to Vector 1, the second chain begins with reflected XSS and CSRF bypass but adds a SQL injection in modules/Fax/EditView.php.
Although prepared statements are used, user-controlled fieldname parameters are interpolated directly into queries.
By injecting subqueries, attackers extract password reset tokens from vte_userauthtoken. Possession of the token allows an attacker to reset any user’s password and log in as that account.
Vector 3: Silent Password Reset
The most critical vector requires no user interaction. The hub/rpwd.php endpoint’s change_password action processes arbitrary user_name and confirm_new_password parameters without validating the reset token.
By invoking the change logic with skipOldPwdCheck set to true, any account’s password can be updated directly—effectively granting attackers immediate, unauthenticated administrative access.
RCE Primitives
Once authenticated, attackers can achieve RCE through:
- Local File Inclusion (LFI): Multiple endpoints allow path traversal to include PHP files;
pearcmd.phpcan be leveraged to write and execute arbitrary PHP code if PEAR is installed. - Module Upload: Administrators can import malicious custom modules as web shells, guaranteeing RCE by design.
Disclosure and Mitigation
The researcher repeatedly attempted responsible disclosure from May 28 to July 13, 2025, but received no meaningful response until after public notification.
On July 24, version 25.02.1 silently patched Vector 3; Vtenext has since acknowledged missed communications due to spam filtering.
However, Vtenext installations worldwide still face exposure from Vectors 1 and 2. Immediate upgrade to version 25.02.1 or later is imperative, and a comprehensive security review of custom modules and exposed endpoints is recommended.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=Three distinct unauthenticated vectors enable attackers to bypass authentication and ultimately achieve remote code execution (RCE) on the target server.){kind=link}