Description
Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
Published: 2026-05-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a remote code execution flaw (CWE-434) in Bitrix24’s Translate Module that permits a user with SOURCE/WRITE permissions to upload PHP code and an accompanying .htaccess file, allowing the execution of arbitrary code on the host. The flaw is a consequence of the module’s intended functionality, which the vendor claims allows high‑privileged users to add translated pages, but it effectively bypasses normal access controls. An attacker who can obtain or compel such permissions can cause a full compromise of the affected web server, leading to loss of confidentiality, integrity, and availability.

Affected Systems

Bitrix24 versions up to and including 25.100.300 are affected; any installation using the Translate Module with SOURCE/WRITE permissions may be vulnerable. No other vendors or products are listed, so the impact is specific to Bitrix24 installations within the stated version range.

Risk and Exploitability

The exploit requires that the attacker is able to employ the Translate Module’s upload feature. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 6.3 indicates a medium severity given the remote code execution potential. The attack vector is inferred to be web‑based, with the attacker leveraging the module’s upload capability; this likely requires internal or privileged access to the system. The vendor’s disputed stance does not mitigate the technical risk whenever an attacker can create such permissions.

Generated by OpenCVE AI on May 8, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or updated release when it becomes available to eliminate the upload flaw.
  • Restrict Translate Module permissions so that only a minimal set of trusted administrators hold SOURCE/WRITE rights, preventing untrusted users from uploading code.
  • Configure the web server to disable execution of PHP files in the translation upload directory, and enforce a .htaccess policy that rejects executable file uploads.

Generated by OpenCVE AI on May 8, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Bitrix
Bitrix bitrix24
Vendors & Products Bitrix
Bitrix bitrix24

Fri, 08 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Translate Module Upload in Bitrix24

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Bitrix24 Remote Code Execution via Translate Module Upload
Weaknesses CWE-285
CWE-94

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Bitrix24 Remote Code Execution via Translate Module Upload
Weaknesses CWE-285
CWE-94

Fri, 08 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
References

Subscriptions

Bitrix Bitrix24
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T17:50:46.526Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67886

cve-icon Vulnrichment

Updated: 2026-05-08T05:52:25.556Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T07:16:28.180

Modified: 2026-05-08T18:16:32.947

Link: CVE-2025-67886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T16:11:33Z

Weaknesses