Multiple vtenext Flaws Allow Authentication Bypass and Remote Code Execution

Vtenext’s CRM solution, widely used by small and medium-sized Italian enterprises, suffers from multiple critical flaws in version 25.02 and earlier.

Three distinct unauthenticated vectors enable attackers to bypass authentication and ultimately achieve remote code execution (RCE) on the target server.

Although version 25.02.1 silently patched the most severe vector, the remaining issues still put countless deployments at risk. Administrators are strongly urged to update immediately to mitigate exposure.

Attack Vectors Overview

The chained vulnerabilities in Vtenext 25.02 can be grouped into three authentication-bypass vectors.

Each requires progressively less user interaction:

Vector #Primary FlawSecondary FlawsUser Interaction RequiredAuthentication Gain
1Reflected XSS via POST (improper sanitization)CSRF bypass (HTTP method tampering), session leakYesArbitrary user session hijack
2Reflected XSS via POSTCSRF bypass, SQL injectionYesExtraction of password reset token
3Arbitrary password reset (missing token validation)N/ANoFull account takeover (including admin)

Vector 1: Multi-Stage XSS Chain

The first vector exploits a reflected XSS in HomeWidgetBlockList.php, where widget IDs from unsanitized JSON are returned with a text/html content-type.

Attackers inject JavaScript payloads to exfiltrate the victim’s session cookie, bypassing the HttpOnly flag through an information-disclosure flaw in the Touch module.

By switching from POST to GET, they circumvent CSRF token checks entirely. This sequence enables session hijacking and full authentication bypass with minimal effort.

Vector 2: SQL Injection Escalation

Similar to Vector 1, the second chain begins with reflected XSS and CSRF bypass but adds a SQL injection in modules/Fax/EditView.php.

Although prepared statements are used, user-controlled fieldname parameters are interpolated directly into queries.

By injecting subqueries, attackers extract password reset tokens from vte_userauthtoken. Possession of the token allows an attacker to reset any user’s password and log in as that account.

Vector 3: Silent Password Reset

The most critical vector requires no user interaction. The hub/rpwd.php endpoint’s change_password action processes arbitrary user_name and confirm_new_password parameters without validating the reset token.

By invoking the change logic with skipOldPwdCheck set to true, any account’s password can be updated directly—effectively granting attackers immediate, unauthenticated administrative access.

RCE Primitives

Once authenticated, attackers can achieve RCE through:

  • Local File Inclusion (LFI): Multiple endpoints allow path traversal to include PHP files; pearcmd.php can be leveraged to write and execute arbitrary PHP code if PEAR is installed.
  • Module Upload: Administrators can import malicious custom modules as web shells, guaranteeing RCE by design.

Disclosure and Mitigation

The researcher repeatedly attempted responsible disclosure from May 28 to July 13, 2025, but received no meaningful response until after public notification.

On July 24, version 25.02.1 silently patched Vector 3; Vtenext has since acknowledged missed communications due to spam filtering.

However, Vtenext installations worldwide still face exposure from Vectors 1 and 2. Immediate upgrade to version 25.02.1 or later is imperative, and a comprehensive security review of custom modules and exposed endpoints is recommended.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here