Perfex CRM Unauthenticated Remote Code Execution via Insecure Deserialization
Perfex CRM is vulnerable to unauthenticated remote code execution (RCE) due to an autologin cookie being fed into unserialize().
Perfex CRM, a customer relationship management software, is susceptible to an unauthenticated remote code execution vulnerability. This vulnerability stems from the application's handling of autologin cookies. The autologin cookie is directly passed into PHP's unserialize() function without proper sanitization. This allows an attacker to inject arbitrary PHP objects into the application's context, leading to remote code execution. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. Given the widespread use of CRM software and the ease of exploitation, this vulnerability poses a significant risk to organizations using Perfex CRM.
Attack Chain
- An attacker identifies a Perfex CRM instance exposed to the internet.
- The attacker crafts a malicious PHP object designed to execute arbitrary code. This object could leverage existing classes within the Perfex CRM codebase, or potentially utilize PHP's built-in functions for code execution.
- The malicious PHP object is serialized using PHP's
serialize()function. - The serialized object is base64 encoded.
- The base64 encoded string is set as the value of the
autologincookie in an HTTP request. - The attacker sends the crafted HTTP request to the Perfex CRM instance, targeting a page that processes the
autologincookie. - The Perfex CRM application receives the request and passes the value of the
autologincookie directly to theunserialize()function. - The
unserialize()function reconstructs the malicious PHP object, triggering the execution of the attacker's arbitrary code. This can lead to complete system compromise, including data exfiltration, installation of malware, or defacement of the CRM system.
Impact
Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the server hosting Perfex CRM. This could lead to complete system compromise, including sensitive customer data exfiltration, installation of ransomware, or defacement of the CRM system. Organizations using vulnerable Perfex CRM instances are at high risk of data breaches, financial loss, and reputational damage.
Recommendation
- Inspect web server logs for requests with unusually long
autologincookie values to identify potential exploitation attempts (reference: web server logs). - Deploy the provided Sigma rule to detect exploitation attempts based on the structure of the
autologincookie (reference: Sigma rule). - Implement input validation on the
autologincookie to prevent the injection of serialized PHP objects (reference: vulnerability details).
Detection coverage 2
Detect Suspiciously Long autologin Cookie
mediumDetects autologin cookies with excessive length, potentially indicating serialized payloads.
Detect autologin cookie in URI
lowDetects autologin cookie passed via GET instead of POST
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | https://nullcathedral.com/posts/2026-03-16-perfex-crm-unauthenticated-rce-insecure-deserialization/ |
| url | https://www.reddit.com/r/netsec/comments/1rv6dqd/perfex_crm_autologin_cookie_fed_into_unserialize/ |