Multiple vtenext Flaws Allow Attackers to Bypass Authentication and Run Remote Code

Security researcher Mattia “0xbro” Brollo disclosed a trio of severe vulnerabilities in vtenext CRM (versions 25.02 and earlier) that enable unauthenticated attackers to completely bypass login controls and execute arbitrary code on affected installations.

Although vtenext quietly patched one of these flaws in version 25.02.1, two equally dangerous vectors remain unaddressed—placing countless small and medium‐sized enterprises at risk worldwide.

The first authentication bypass chain abuses a reflected cross‐site scripting (XSS) flaw in the HomeWidgetBlockList module, where unsanitized widgetId values are returned with a Content-Type: text/html header.

Attackers can inject JavaScript payloads via POST or, due to HTTP method tampering, via GET requests without any CSRF token check.

A companion information‐disclosure bug in the Touch module then leaks the victim’s session cookie, fully defeating the HttpOnly flag and granting session hijacking capability.

Proof‐of‐concept code demonstrates how an injected <img onerror> payload exfiltrates PHPSESSID to an attacker‐controlled server.

Vector two combines the same XSS and CSRF bypass with an SQL injection in modules/Fax/EditView.php.

Here, user‐supplied field names are interpolated into SQL queries—even though prepared statements are nominally used—allowing attackers to extract arbitrary data.

Beyond simply reading user credentials, the injection can harvest password‐reset tokens from the vte_userauthtoken table, enabling off‐line token cracking or direct password resets via the CRM’s recovery endpoints.

The most potent flaw—silently patched in vtenext 25.02.1 but still present elsewhere—is an arbitrary password reset vulnerability in hub/rpwd.php.

Attackers supply a crafted POST request to invoke the change_password action without requiring a valid token or the victim’s current password.

By passing any user_name and confirm_new_password parameters, the attacker triggers a direct database update that sets a new password for the target account and invalidates existing tokens.

Once authenticated—potentially as an administrator—adversaries gain multiple paths to remote code execution (RCE).

Local file inclusion (LFI) flaws in various modules permit traversal and inclusion of arbitrary .php files on disk.

In environments with the PEAR framework installed, attackers can include pearcmd.php to write backdoor scripts to the webroot.

Alternatively, legitimate module‐upload functionality can be abused: by importing a custom module containing a simple web shell, administrators can be tricked into granting persistent RCE within the CRM.

Brollo’s disclosure timeline reveals three months of unsuccessful outreach to the vendor, who finally released a “silent patch” for the password‐reset flaw on July 24, 2025, without acknowledgment or credit.

In a belated response on August 13, vtenext attributed communication failures to spam filtering and noted that some issues were already patched during third‐party VAPT assessments.

With no coordinated disclosure policy in place, two critical vectors remain live in millions of lines of legacy code.

Organizations running vtenext must upgrade immediately to version 25.02.1 and verify that CSRF, XSS, and password‐reset endpoints are properly secured.

Until the remaining exploits are fixed, the CRM’s users—particularly resource‐constrained small and mid‐size businesses—stay exposed to full account takeover and remote server compromise.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!