{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dolibarr-erp-crm-7.0.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25357"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Dolibarr ERP CRM 7.0.3"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25357","rce","code-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["Dolibarr"],"content_html":"\u003cp\u003eDolibarr ERP CRM 7.0.3 is susceptible to a remote code evaluation vulnerability that permits unauthenticated attackers to execute arbitrary code. The vulnerability is located in the install/step1.php file and can be exploited by injecting PHP code into the db_name parameter via a POST request. This allows attackers to bypass authentication and execute arbitrary PHP code on the server, potentially leading to complete system compromise. This vulnerability was reported in May 2026 but relates to software version 7.0.3. Successful exploitation grants the attacker the ability to execute system commands, read sensitive data, and modify application configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/install/step1.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003edb_name\u003c/code\u003e parameter containing malicious PHP code.\u003c/li\u003e\n\u003cli\u003eThe application improperly processes the injected PHP code within the \u003ccode\u003edb_name\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected code is evaluated, allowing the attacker to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker then accesses the \u003ccode\u003echeck.php\u003c/code\u003e endpoint using a GET request.\u003c/li\u003e\n\u003cli\u003eThe GET request includes a \u003ccode\u003ecmd\u003c/code\u003e parameter, specifying the command to be executed.\u003c/li\u003e\n\u003cli\u003eThe server executes the command specified in the \u003ccode\u003ecmd\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the Dolibarr ERP CRM server. This could lead to complete system compromise, including the theft of sensitive data, modification of application configurations, and denial of service. Given the sensitive nature of data typically stored within an ERP CRM system, this vulnerability poses a significant risk to organizations using affected versions of Dolibarr.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a secure version of Dolibarr ERP CRM to remediate CVE-2018-25357.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts against \u003ccode\u003e/install/step1.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/install/step1.php\u003c/code\u003e containing suspicious characters in the \u003ccode\u003edb_name\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:55:52Z","date_published":"2026-05-26T13:55:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dolibarr-rce/","summary":"Dolibarr ERP CRM 7.0.3 is vulnerable to remote code evaluation, allowing unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter, leading to arbitrary command execution.","title":"Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php","url":"https://feed.craftedsignal.io/briefs/2026-05-dolibarr-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Dolibarr ERP CRM 7.0.3","version":"https://jsonfeed.org/version/1.1"}