{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/egroupware--26.0.20251208--26.0.20260113/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EGroupware (\u003e= 26.0.20251208, \u003c 26.0.20260113)","EGroupware (\u003c 23.1.20260601)"],"_cs_severities":["high"],"_cs_tags":["rce","web-vulnerability","php","egroupware","linux"],"_cs_type":"advisory","_cs_vendors":["EGroupware"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-40187, has been identified in EGroupware, allowing an authenticated administrator to achieve OS-level Remote Code Execution (RCE). The flaw resides in the \u003ccode\u003eWidget::expand_name()\u003c/code\u003e method within \u003ccode\u003eapi/src/Etemplate/Widget.php\u003c/code\u003e, which passes template widget attribute values into a PHP \u003ccode\u003eeval()\u003c/code\u003e call. Crucially, while double quotes are escaped, backtick characters are not. In PHP, backticks inside a double-quoted \u003ccode\u003eeval()\u003c/code\u003e string trigger shell command execution. This means a malicious eTemplate XML file (\u003ccode\u003e.xet\u003c/code\u003e) uploaded by an administrator can leverage this oversight to execute arbitrary commands on the host server. The vulnerability affects EGroupware versions \u0026gt;= 26.0.20251208 but \u0026lt; 26.0.20260113, and versions \u0026lt; 23.1.20260601. A mitigating factor exists in official Docker deployments, which typically set \u003ccode\u003edisable_functions\u003c/code\u003e in \u003ccode\u003ephp.ini\u003c/code\u003e to block \u003ccode\u003eshell_exec()\u003c/code\u003e, but non-Docker or misconfigured installations are fully vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated administrative access to an EGroupware instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Admin -\u0026gt; Filemanager -\u0026gt; VFS Mounts section within EGroupware and clicks \u0026quot;Install custom templates\u0026quot; to mount the \u003ccode\u003e/etemplates\u003c/code\u003e directory with administrative write access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eindex.xet\u003c/code\u003e XML file that contains a payload, such as \u003ccode\u003e\u0026lt;textbox id=\u0026quot;$row\\\u003c/code\u003etouch /tmp/pwned_egw 2\u0026gt;/dev/null`\u0026quot;/\u0026gt;\u003ccode\u003e, embedding a shell command (\u003c/code\u003etouch /tmp/pwned_egw`) within a widget ID attribute.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads this malicious \u003ccode\u003eindex.xet\u003c/code\u003e file to a specific path within the mounted VFS, typically \u003ccode\u003e/etemplates/admin/templates/default/index.xet\u003c/code\u003e, using the EGroupware file manager.\u003c/li\u003e\n\u003cli\u003eTo trigger the vulnerability, the attacker then navigates to an EGroupware admin panel URL, such as \u003ccode\u003ehttps://\u0026lt;target\u0026gt;/egroupware/index.php?menuaction=admin.admin_ui.index\u003c/code\u003e, which causes the application to load and process the custom template.\u003c/li\u003e\n\u003cli\u003eDuring template processing, the \u003ccode\u003eWidget::expand_name()\u003c/code\u003e method is invoked, and the specially crafted widget ID containing the backtick shell command is passed to a PHP \u003ccode\u003eeval()\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eDue to the unescaped backticks, the PHP interpreter executes the embedded shell command (\u003ccode\u003etouch /tmp/pwned_egw 2\u0026gt;/dev/null\u003c/code\u003e) on the underlying Linux operating system.\u003c/li\u003e\n\u003cli\u003eThe shell command runs with the privileges of the web server user (e.g., \u003ccode\u003ewww-data\u003c/code\u003e), creating or modifying files on the server and achieving RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40187 allows an attacker with administrative EGroupware credentials to elevate their privileges to arbitrary OS command execution as the web server user. From this position, an attacker can access sensitive system files (e.g., database credentials), establish persistence mechanisms, pivot to other internal systems, or completely compromise the EGroupware server and its data. The vulnerability directly affects any EGroupware installation that is not using the official Docker deployment with its hardened \u003ccode\u003ephp.ini\u003c/code\u003e settings or has had \u003ccode\u003edisable_functions\u003c/code\u003e modified. While no specific victim count is provided, all non-hardened EGroupware instances are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching EGroupware installations to a version that addresses CVE-2026-40187 immediately.\u003c/li\u003e\n\u003cli\u003eEnsure that PHP's \u003ccode\u003edisable_functions\u003c/code\u003e directive in \u003ccode\u003ephp.ini\u003c/code\u003e is properly configured to block functions like \u003ccode\u003eexec\u003c/code\u003e, \u003ccode\u003epassthru\u003c/code\u003e, \u003ccode\u003eshell_exec\u003c/code\u003e, \u003ccode\u003esystem\u003c/code\u003e, \u003ccode\u003eproc_open\u003c/code\u003e, and \u003ccode\u003epopen\u003c/code\u003e on all EGroupware servers, especially non-Docker deployments.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process creation activities indicating potential exploitation of CVE-2026-40187.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e logging on all Linux servers hosting EGroupware to capture command line arguments, parent processes, and user information, which is critical for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eBlock the execution of the commands identified in the IOCs (e.g., \u003ccode\u003etouch /tmp/pwned_egw\u003c/code\u003e, \u003ccode\u003eid \u0026gt; /tmp/pwned_egw\u003c/code\u003e) at endpoint protection layers where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T13:14:06Z","date_published":"2026-07-07T13:14:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-egroupware-authenticated-rce/","summary":"An authenticated EGroupware administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (`.xet`) containing unescaped backtick characters that lead to shell command execution within a PHP `eval()` call during template processing (CVE-2026-40187), impacting non-Docker or non-hardened EGroupware deployments.","title":"EGroupware Authenticated RCE via Malicious eTemplate Upload (CVE-2026-40187)","url":"https://feed.craftedsignal.io/briefs/2026-07-egroupware-authenticated-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - EGroupware (\u003e= 26.0.20251208, \u003c 26.0.20260113)","version":"https://jsonfeed.org/version/1.1"}