Skip to content
Threat Feed
critical advisory

Perfex CRM Unauthenticated Remote Code Execution via Insecure Deserialization

Perfex CRM is vulnerable to unauthenticated remote code execution (RCE) due to an autologin cookie being fed into unserialize().

Perfex CRM, a customer relationship management software, is susceptible to an unauthenticated remote code execution vulnerability. This vulnerability stems from the application's handling of autologin cookies. The autologin cookie is directly passed into PHP's unserialize() function without proper sanitization. This allows an attacker to inject arbitrary PHP objects into the application's context, leading to remote code execution. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. Given the widespread use of CRM software and the ease of exploitation, this vulnerability poses a significant risk to organizations using Perfex CRM.

Attack Chain

  1. An attacker identifies a Perfex CRM instance exposed to the internet.
  2. The attacker crafts a malicious PHP object designed to execute arbitrary code. This object could leverage existing classes within the Perfex CRM codebase, or potentially utilize PHP's built-in functions for code execution.
  3. The malicious PHP object is serialized using PHP's serialize() function.
  4. The serialized object is base64 encoded.
  5. The base64 encoded string is set as the value of the autologin cookie in an HTTP request.
  6. The attacker sends the crafted HTTP request to the Perfex CRM instance, targeting a page that processes the autologin cookie.
  7. The Perfex CRM application receives the request and passes the value of the autologin cookie directly to the unserialize() function.
  8. The unserialize() function reconstructs the malicious PHP object, triggering the execution of the attacker's arbitrary code. This can lead to complete system compromise, including data exfiltration, installation of malware, or defacement of the CRM system.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the server hosting Perfex CRM. This could lead to complete system compromise, including sensitive customer data exfiltration, installation of ransomware, or defacement of the CRM system. Organizations using vulnerable Perfex CRM instances are at high risk of data breaches, financial loss, and reputational damage.

Recommendation

  • Inspect web server logs for requests with unusually long autologin cookie values to identify potential exploitation attempts (reference: web server logs).
  • Deploy the provided Sigma rule to detect exploitation attempts based on the structure of the autologin cookie (reference: Sigma rule).
  • Implement input validation on the autologin cookie to prevent the injection of serialized PHP objects (reference: vulnerability details).

Detection coverage 2

Detect Suspiciously Long autologin Cookie

medium

Detects autologin cookies with excessive length, potentially indicating serialized payloads.

sigma tactics: initial_access techniques: T1190 sources: webserver, apache

Detect autologin cookie in URI

low

Detects autologin cookie passed via GET instead of POST

sigma tactics: initial_access techniques: T1190 sources: webserver, apache

Detection queries are available on the platform. Get full rules →

Indicators of compromise

2

url

TypeValue
urlhttps://nullcathedral.com/posts/2026-03-16-perfex-crm-unauthenticated-rce-insecure-deserialization/
urlhttps://www.reddit.com/r/netsec/comments/1rv6dqd/perfex_crm_autologin_cookie_fed_into_unserialize/