CVE-2025-67886 - Vulnerability Analysis
MediumCVSS: 6.3Last Updated: May 8, 2026
Bitrix24 - Remote Code Execution
Published: May 8, 2026Updated: May 8, 2026PoC AvailableRemote Exploitable
Overview
Bitrix24 through 25.100.300 contains a remote code execution caused by upload and execution of PHP and .htaccess files by actors with SOURCE/WRITE permissions in the Translate Module, letting attackers execute arbitrary code remotely, exploit requires SOURCE/WRITE permissions.
Severity & Score
Severity: Medium
CVSS Score: 6.3
Impact
Attackers with SOURCE/WRITE permissions can execute arbitrary code remotely, potentially leading to full system compromise.
Mitigation
Update to the latest version beyond 25.100.300 or apply vendor recommended mitigations.
References
- https://www.bitrix24.com/self-hosted/
- http://seclists.org/fulldisclosure/2025/Dec/21
- https://dev.1c-bitrix.ru/api_help/translate/index.php
- https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055
- https://karmainsecurity.com/pocs/CVE-2025-67886.php
- https://seclists.org/fulldisclosure/2025/Dec/21
Related Resources
Details
- CVE ID
- CVE-2025-67886
- Severity
- Medium
- CVSS Score
- 6.3
- Type
- remote_code_execution
- Status
- unconfirmed
CWE
- CWE-434
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L