Dolibarr ERP CRM 7.0.3 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/dolibarr-erp-crm-7.0.3/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 26 May 2026 13:55:52 +0000Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.phphttps://feed.craftedsignal.io/briefs/2026-05-dolibarr-rce/Tue, 26 May 2026 13:55:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dolibarr-rce/Dolibarr ERP CRM 7.0.3 is vulnerable to remote code evaluation, allowing unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter, leading to arbitrary command execution.Dolibarr ERP CRM 7.0.3 is susceptible to a remote code evaluation vulnerability that permits unauthenticated attackers to execute arbitrary code. The vulnerability is located in the install/step1.php file and can be exploited by injecting PHP code into the db_name parameter via a POST request. This allows attackers to bypass authentication and execute arbitrary PHP code on the server, potentially leading to complete system compromise. This vulnerability was reported in May 2026 but relates to software version 7.0.3. Successful exploitation grants the attacker the ability to execute system commands, read sensitive data, and modify application configurations.

Attack Chain

  1. The attacker sends a POST request to /install/step1.php.
  2. The POST request includes the db_name parameter containing malicious PHP code.
  3. The application improperly processes the injected PHP code within the db_name parameter.
  4. The injected code is evaluated, allowing the attacker to execute arbitrary commands.
  5. The attacker then accesses the check.php endpoint using a GET request.
  6. The GET request includes a cmd parameter, specifying the command to be executed.
  7. The server executes the command specified in the cmd parameter.
  8. The attacker gains arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on the Dolibarr ERP CRM server. This could lead to complete system compromise, including the theft of sensitive data, modification of application configurations, and denial of service. Given the sensitive nature of data typically stored within an ERP CRM system, this vulnerability poses a significant risk to organizations using affected versions of Dolibarr.

Recommendation

  • Apply available patches or upgrade to a secure version of Dolibarr ERP CRM to remediate CVE-2018-25357.
  • Deploy the provided Sigma rule to detect exploitation attempts against /install/step1.php.
  • Monitor web server logs for POST requests to /install/step1.php containing suspicious characters in the db_name parameter.
]]>criticaladvisorycve-2018-25357rcecode-injectionweb-application