{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/egroupware/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EGroupware (\u003e= 26.0.20251208, \u003c 26.0.20260113)","EGroupware (\u003c 23.1.20260601)"],"_cs_severities":["high"],"_cs_tags":["rce","web-vulnerability","php","egroupware","linux"],"_cs_type":"advisory","_cs_vendors":["EGroupware"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-40187, has been identified in EGroupware, allowing an authenticated administrator to achieve OS-level Remote Code Execution (RCE). The flaw resides in the \u003ccode\u003eWidget::expand_name()\u003c/code\u003e method within \u003ccode\u003eapi/src/Etemplate/Widget.php\u003c/code\u003e, which passes template widget attribute values into a PHP \u003ccode\u003eeval()\u003c/code\u003e call. Crucially, while double quotes are escaped, backtick characters are not. In PHP, backticks inside a double-quoted \u003ccode\u003eeval()\u003c/code\u003e string trigger shell command execution. This means a malicious eTemplate XML file (\u003ccode\u003e.xet\u003c/code\u003e) uploaded by an administrator can leverage this oversight to execute arbitrary commands on the host server. The vulnerability affects EGroupware versions \u0026gt;= 26.0.20251208 but \u0026lt; 26.0.20260113, and versions \u0026lt; 23.1.20260601. A mitigating factor exists in official Docker deployments, which typically set \u003ccode\u003edisable_functions\u003c/code\u003e in \u003ccode\u003ephp.ini\u003c/code\u003e to block \u003ccode\u003eshell_exec()\u003c/code\u003e, but non-Docker or misconfigured installations are fully vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated administrative access to an EGroupware instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Admin -\u0026gt; Filemanager -\u0026gt; VFS Mounts section within EGroupware and clicks \u0026quot;Install custom templates\u0026quot; to mount the \u003ccode\u003e/etemplates\u003c/code\u003e directory with administrative write access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eindex.xet\u003c/code\u003e XML file that contains a payload, such as \u003ccode\u003e\u0026lt;textbox id=\u0026quot;$row\\\u003c/code\u003etouch /tmp/pwned_egw 2\u0026gt;/dev/null`\u0026quot;/\u0026gt;\u003ccode\u003e, embedding a shell command (\u003c/code\u003etouch /tmp/pwned_egw`) within a widget ID attribute.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads this malicious \u003ccode\u003eindex.xet\u003c/code\u003e file to a specific path within the mounted VFS, typically \u003ccode\u003e/etemplates/admin/templates/default/index.xet\u003c/code\u003e, using the EGroupware file manager.\u003c/li\u003e\n\u003cli\u003eTo trigger the vulnerability, the attacker then navigates to an EGroupware admin panel URL, such as \u003ccode\u003ehttps://\u0026lt;target\u0026gt;/egroupware/index.php?menuaction=admin.admin_ui.index\u003c/code\u003e, which causes the application to load and process the custom template.\u003c/li\u003e\n\u003cli\u003eDuring template processing, the \u003ccode\u003eWidget::expand_name()\u003c/code\u003e method is invoked, and the specially crafted widget ID containing the backtick shell command is passed to a PHP \u003ccode\u003eeval()\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eDue to the unescaped backticks, the PHP interpreter executes the embedded shell command (\u003ccode\u003etouch /tmp/pwned_egw 2\u0026gt;/dev/null\u003c/code\u003e) on the underlying Linux operating system.\u003c/li\u003e\n\u003cli\u003eThe shell command runs with the privileges of the web server user (e.g., \u003ccode\u003ewww-data\u003c/code\u003e), creating or modifying files on the server and achieving RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40187 allows an attacker with administrative EGroupware credentials to elevate their privileges to arbitrary OS command execution as the web server user. From this position, an attacker can access sensitive system files (e.g., database credentials), establish persistence mechanisms, pivot to other internal systems, or completely compromise the EGroupware server and its data. The vulnerability directly affects any EGroupware installation that is not using the official Docker deployment with its hardened \u003ccode\u003ephp.ini\u003c/code\u003e settings or has had \u003ccode\u003edisable_functions\u003c/code\u003e modified. While no specific victim count is provided, all non-hardened EGroupware instances are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching EGroupware installations to a version that addresses CVE-2026-40187 immediately.\u003c/li\u003e\n\u003cli\u003eEnsure that PHP's \u003ccode\u003edisable_functions\u003c/code\u003e directive in \u003ccode\u003ephp.ini\u003c/code\u003e is properly configured to block functions like \u003ccode\u003eexec\u003c/code\u003e, \u003ccode\u003epassthru\u003c/code\u003e, \u003ccode\u003eshell_exec\u003c/code\u003e, \u003ccode\u003esystem\u003c/code\u003e, \u003ccode\u003eproc_open\u003c/code\u003e, and \u003ccode\u003epopen\u003c/code\u003e on all EGroupware servers, especially non-Docker deployments.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process creation activities indicating potential exploitation of CVE-2026-40187.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e logging on all Linux servers hosting EGroupware to capture command line arguments, parent processes, and user information, which is critical for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eBlock the execution of the commands identified in the IOCs (e.g., \u003ccode\u003etouch /tmp/pwned_egw\u003c/code\u003e, \u003ccode\u003eid \u0026gt; /tmp/pwned_egw\u003c/code\u003e) at endpoint protection layers where possible.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T13:14:06Z","date_published":"2026-07-07T13:14:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-egroupware-authenticated-rce/","summary":"An authenticated EGroupware administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (`.xet`) containing unescaped backtick characters that lead to shell command execution within a PHP `eval()` call during template processing (CVE-2026-40187), impacting non-Docker or non-hardened EGroupware deployments.","title":"EGroupware Authenticated RCE via Malicious eTemplate Upload (CVE-2026-40187)","url":"https://feed.craftedsignal.io/briefs/2026-07-egroupware-authenticated-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["composer/egroupware/egroupware (\u003e= 26.0.20251208, \u003c 26.2.20260224)","composer/egroupware/egroupware (\u003c 23.1.20260224)"],"_cs_severities":["critical"],"_cs_tags":["RCE","web-vulnerability","egroupware","php","critical","exploit"],"_cs_type":"advisory","_cs_vendors":["EGroupware"],"content_html":"\u003cp\u003eA critical remote code execution (RCE) vulnerability, tracked as CVE-2026-27823, has been discovered in EGroupware, an open-source collaboration suite. This flaw allows an authenticated attacker to execute arbitrary code on the underlying server. In environments where user self-registration is enabled, the vulnerability can be exploited by an unauthenticated attacker, significantly broadening its impact. Discovered by Huong Kieu of Cenobe Security, the vulnerability stems from a chain of weaknesses: an improper authorization check in the \u003ccode\u003eSmallPartMediaRecorder::ajax_upload()\u003c/code\u003e function, which can be bypassed via crafted request data, an arbitrary file write due to path traversal, and a separate arbitrary file read vulnerability in \u003ccode\u003eimportexport_export_ui::download\u003c/code\u003e. By combining these, attackers can overwrite critical PHP files, inject malicious code, and achieve full system compromise. The vulnerability affects \u003ccode\u003ecomposer/egroupware/egroupware\u003c/code\u003e versions prior to \u003ccode\u003e23.1.20260224\u003c/code\u003e and versions \u003ccode\u003e26.0.20251208\u003c/code\u003e through \u003ccode\u003e26.1.20260223\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Authentication Bypass\u003c/strong\u003e: An attacker, potentially unauthenticated if self-registration is enabled, crafts a POST request to \u003ccode\u003e/egroupware/json.php\u003c/code\u003e targeting the \u003ccode\u003eSmallPartMediaRecorder::ajax_upload()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthorization Bypass\u003c/strong\u003e: The crafted request includes a manipulated JSON body with \u003ccode\u003eparticipant_role\u003c/code\u003e set to \u003ccode\u003e3\u003c/code\u003e (ROLE_TEACHER), bypassing the \u003ccode\u003eisTeacher\u003c/code\u003e check intended to restrict file uploads.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Write\u003c/strong\u003e: Following the authorization bypass, the attacker exploits a path traversal vulnerability via the \u003ccode\u003evideo_type\u003c/code\u003e parameter to write an arbitrary file to a controlled path, such as \u003ccode\u003e./header.inc.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Read\u003c/strong\u003e: A separate vulnerability is exploited by making a GET request to \u003ccode\u003e/egroupware/index.php?menuaction=importexport.importexport_export_ui.download\u003c/code\u003e with a malicious \u003ccode\u003e_filename\u003c/code\u003e parameter (e.g., \u003ccode\u003e../../../usr/share/egroupware/header.inc.php\u003c/code\u003e) to read the original content of the target file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection Preparation\u003c/strong\u003e: The attacker combines the original \u003ccode\u003eheader.inc.php\u003c/code\u003e content with injected PHP code (e.g., a webshell or administrative credential modification logic) to preserve file validity and ensure continued server operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The attacker overwrites \u003ccode\u003eheader.inc.php\u003c/code\u003e using the arbitrary file write vulnerability with the crafted content, leading to Remote Code Execution when the file is subsequently loaded by the web server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27823 leads to critical consequences, including full system compromise and complete takeover of the EGroupware instance. Attackers can gain arbitrary remote code execution on the server, allowing them to install backdoors, exfiltrate sensitive data, manipulate or destroy data, or pivot to other systems within the network. This could result in significant data breaches, operational disruption, and reputational damage for affected organizations. The ability to modify administrative setup passwords further enables persistent control over the EGroupware application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-27823 immediately\u003c/strong\u003e: Upgrade EGroupware \u003ccode\u003ecomposer/egroupware/egroupware\u003c/code\u003e to version \u003ccode\u003e23.1.20260224\u003c/code\u003e or \u003ccode\u003e26.2.20260224\u003c/code\u003e to mitigate CVE-2026-27823.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable user self-registration\u003c/strong\u003e: If not strictly necessary, disable user self-registration in EGroupware to reduce the attack surface for unauthenticated exploitation of CVE-2026-27823.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief\u003c/strong\u003e: Integrate the provided Sigma rules into your SIEM to detect attempts at exploiting the authorization bypass, arbitrary file write, and arbitrary file read components of CVE-2026-27823.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable webserver logging\u003c/strong\u003e: Ensure comprehensive logging for your EGroupware web server (access logs, error logs) to capture HTTP requests including method, URI, query parameters, and POST body details, which are critical for activating the detection rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T13:12:53Z","date_published":"2026-07-07T13:12:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-egroupware-rce/","summary":"A critical remote code execution vulnerability (CVE-2026-27823) in EGroupware allows an authenticated attacker, or an unauthenticated attacker if self-registration is enabled, to execute arbitrary commands on the server by combining an authorization bypass, arbitrary file write via path traversal, and arbitrary file read, leading to full system compromise.","title":"EGroupware Critical RCE Vulnerability (CVE-2026-27823)","url":"https://feed.craftedsignal.io/briefs/2026-07-egroupware-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Egroupware","version":"https://jsonfeed.org/version/1.1"}