CVE-2023-5965 – This vulnerability allows authenticated privile... (How to Fix)

Q: What is the severity of CVE-2023-5965?

CVE-2023-5965 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows authenticated privileged attackers to upload malicious zip files to EspoCRM servers, leading to arbitrary PHP code execution. Attackers with administrative access can compromise the entire application server. Only EspoCRM version 7.2.5 is affected.

📋 TL;DR

This vulnerability allows authenticated privileged attackers to upload malicious zip files to EspoCRM servers, leading to arbitrary PHP code execution. Attackers with administrative access can compromise the entire application server. Only EspoCRM version 7.2.5 is affected.

💻 Affected Systems

Products:

EspoCRM

Versions: 7.2.5

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated privileged user access; standard EspoCRM installations with default settings are vulnerable.

📦 What is this software?

Espocrm by Espocrm

View all CVEs affecting Espocrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise with attacker gaining full control over the EspoCRM instance and potentially the underlying server, enabling data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Attacker uploads web shell or backdoor, establishing persistent access to steal sensitive CRM data, manipulate business processes, or use server for further attacks.

🟢

If Mitigated

With proper access controls and file upload restrictions, impact limited to authenticated admin users who would already have significant privileges.

🌐 Internet-Facing: HIGH - EspoCRM instances exposed to internet are directly accessible to attackers who obtain or compromise admin credentials.

🏢 Internal Only: MEDIUM - Internal attackers with admin access could exploit, but requires privileged credentials and network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once authenticated; zip file manipulation is well-documented technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.6 or later

Vendor Advisory: https://www.espocrm.com/blog/security-update/

Restart Required: No

Instructions:

1. Backup your EspoCRM instance and database. 2. Download latest version from espocrm.com. 3. Replace existing installation files with patched version. 4. Clear cache via Administration > Clear Cache. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict File Uploads

all

Temporarily disable or restrict zip file uploads through the update form

Modify EspoCRM configuration to reject .zip uploads or implement file type validation

Admin Access Restriction

all

Limit admin account access to trusted IP addresses only

Implement IP whitelisting for admin panel access in web server configuration

🧯 If You Can't Patch

Implement strict access controls for admin accounts with MFA and monitor admin activity logs
Deploy WAF rules to block suspicious file upload patterns and monitor for zip file upload attempts

🔍 How to Verify

Check if Vulnerable:

Check EspoCRM version in Administration > About; if version is exactly 7.2.5, system is vulnerable.

Check Version:

Check EspoCRM admin panel or inspect version in /data/config.php

Verify Fix Applied:

Verify version is 7.2.6 or higher in Administration > About; test that zip uploads are properly validated.

📡 Detection & Monitoring

Log Indicators:

Unusual admin login patterns
Zip file uploads via update form
PHP file execution from unexpected locations

Network Indicators:

POST requests with zip files to update endpoints
Outbound connections from EspoCRM server to unknown IPs

SIEM Query:

source="espocrm" AND (file_extension=".zip" OR action="upload") AND user_role="admin"

📊 Metadata

CVE ID: CVE-2023-5965

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: November 30, 2023

Last Updated: November 21, 2024

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrm Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrm Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5965, you might also want to check these: