<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>EGroupware (&lt; 23.1.20260601) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/egroupware--23.1.20260601/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 13:14:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/egroupware--23.1.20260601/feed.xml" rel="self" type="application/rss+xml"/><item><title>EGroupware Authenticated RCE via Malicious eTemplate Upload (CVE-2026-40187)</title><link>https://feed.craftedsignal.io/briefs/2026-07-egroupware-authenticated-rce/</link><pubDate>Tue, 07 Jul 2026 13:14:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-egroupware-authenticated-rce/</guid><description>An authenticated EGroupware administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (`.xet`) containing unescaped backtick characters that lead to shell command execution within a PHP `eval()` call during template processing (CVE-2026-40187), impacting non-Docker or non-hardened EGroupware deployments.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-40187, has been identified in EGroupware, allowing an authenticated administrator to achieve OS-level Remote Code Execution (RCE). The flaw resides in the <code>Widget::expand_name()</code> method within <code>api/src/Etemplate/Widget.php</code>, which passes template widget attribute values into a PHP <code>eval()</code> call. Crucially, while double quotes are escaped, backtick characters are not. In PHP, backticks inside a double-quoted <code>eval()</code> string trigger shell command execution. This means a malicious eTemplate XML file (<code>.xet</code>) uploaded by an administrator can leverage this oversight to execute arbitrary commands on the host server. The vulnerability affects EGroupware versions &gt;= 26.0.20251208 but &lt; 26.0.20260113, and versions &lt; 23.1.20260601. A mitigating factor exists in official Docker deployments, which typically set <code>disable_functions</code> in <code>php.ini</code> to block <code>shell_exec()</code>, but non-Docker or misconfigured installations are fully vulnerable.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains authenticated administrative access to an EGroupware instance.</li>
<li>The attacker navigates to the Admin -&gt; Filemanager -&gt; VFS Mounts section within EGroupware and clicks &quot;Install custom templates&quot; to mount the <code>/etemplates</code> directory with administrative write access.</li>
<li>The attacker crafts a malicious <code>index.xet</code> XML file that contains a payload, such as <code>&lt;textbox id=&quot;$row\</code>touch /tmp/pwned_egw 2&gt;/dev/null`&quot;/&gt;<code>, embedding a shell command (</code>touch /tmp/pwned_egw`) within a widget ID attribute.</li>
<li>The attacker uploads this malicious <code>index.xet</code> file to a specific path within the mounted VFS, typically <code>/etemplates/admin/templates/default/index.xet</code>, using the EGroupware file manager.</li>
<li>To trigger the vulnerability, the attacker then navigates to an EGroupware admin panel URL, such as <code>https://&lt;target&gt;/egroupware/index.php?menuaction=admin.admin_ui.index</code>, which causes the application to load and process the custom template.</li>
<li>During template processing, the <code>Widget::expand_name()</code> method is invoked, and the specially crafted widget ID containing the backtick shell command is passed to a PHP <code>eval()</code> call.</li>
<li>Due to the unescaped backticks, the PHP interpreter executes the embedded shell command (<code>touch /tmp/pwned_egw 2&gt;/dev/null</code>) on the underlying Linux operating system.</li>
<li>The shell command runs with the privileges of the web server user (e.g., <code>www-data</code>), creating or modifying files on the server and achieving RCE.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40187 allows an attacker with administrative EGroupware credentials to elevate their privileges to arbitrary OS command execution as the web server user. From this position, an attacker can access sensitive system files (e.g., database credentials), establish persistence mechanisms, pivot to other internal systems, or completely compromise the EGroupware server and its data. The vulnerability directly affects any EGroupware installation that is not using the official Docker deployment with its hardened <code>php.ini</code> settings or has had <code>disable_functions</code> modified. While no specific victim count is provided, all non-hardened EGroupware instances are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching EGroupware installations to a version that addresses CVE-2026-40187 immediately.</li>
<li>Ensure that PHP's <code>disable_functions</code> directive in <code>php.ini</code> is properly configured to block functions like <code>exec</code>, <code>passthru</code>, <code>shell_exec</code>, <code>system</code>, <code>proc_open</code>, and <code>popen</code> on all EGroupware servers, especially non-Docker deployments.</li>
<li>Deploy the provided Sigma rule to detect suspicious process creation activities indicating potential exploitation of CVE-2026-40187.</li>
<li>Enable comprehensive <code>process_creation</code> logging on all Linux servers hosting EGroupware to capture command line arguments, parent processes, and user information, which is critical for the Sigma rule.</li>
<li>Block the execution of the commands identified in the IOCs (e.g., <code>touch /tmp/pwned_egw</code>, <code>id &gt; /tmp/pwned_egw</code>) at endpoint protection layers where possible.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>rce</category><category>web-vulnerability</category><category>php</category><category>egroupware</category><category>linux</category></item></channel></rss>