CVE-2025-67887
CriticalSummary
1C-Bitrix version 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file.
Risk Assessment
The organization may be exposed to malicious actions if unauthorized users gain access to SOURCE/WRITE permissions, potentially leading to system compromise.
Recommendation
It is recommended to restrict permissions for the Translate Module and monitor the activities of high-privileged users to prevent unauthorized file uploads.
Original NVD description (English source)
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

